Getting Data In
Highlighted

How to see www* as host from secure.log and access.log ?

Hello Splunkers,

I am forwarding logs from Universal Forwarder, to a Search Peer (Standalone Inderxer) and doing the search from a standalone Search Head. I have done as far from my understanding. How can I see access.log and secure.log from host www1 -www9.

Below is the inputs.conf of my UF: (log path:- /opt/logs/www1 - www9)

[default]
host = UF-01-248

[monitor:///opt/log/www*/secure.log]
disabled = 0
host_segment = 5
sourcetype = secure.log
index = main

[monitor:///opt/log/www*/access.log]
disabled = 0
host_segment = 9
sourcetype = access.log
index = web
0 Karma
Highlighted

Re: How to see www* as host from secure.log and access.log ?

SplunkTrust
SplunkTrust

Try setting host_segment (which is basically on what level the host is available in file path/source) to 3 for both. Seems like 3rd portion of the path is what you want as host.

In /opt/log/www*/ : opt-1st, log-2nd, www*-3rd
0 Karma
Highlighted

Re: How to see www* as host from secure.log and access.log ?

Thanks for reviewing my post. You mean to say like below,

[default]
host = UF-01-248

[monitor:///opt/log/www/secure]
disabled = 0
host_segment = 5
sourcetype = secure.log
index = main

[monitor:///opt/log/www/access]
disabled = 0
host_segment = 9
sourcetype = access.log
index = web

My requirement is to see www1, www2 etc as individual host from Search Head with individual access.log or secure.log

0 Karma
Highlighted

Re: How to see www* as host from secure.log and access.log ?

Splunk Employee
Splunk Employee

You can use the host_segment attribute to choose any segment of the monitored path to be the host value. For example, a host_segment=3 setting should pick up the "www*" value from your above monitored path. Also, you can use regular expression with the host_regex attribute for more advanced ways to dynamically set the host value.

Here is the documentation and examples on how to dynamically setup the host value.
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Setadefaulthostforaninput#Dynamically_set_th...

View solution in original post

0 Karma
Highlighted

Re: How to see www* as host from secure.log and access.log ?

Thanks for the update, but I achieved 50% as per my requirement. As I would like to send this access.log into index = web.

Below changes, will work ?

[monitor:///opt/log/]
disabled = 0
host_segment = 3

[monitor:///opt/log/]
disabled = 0
host_segment = 3
sourcetype = access.log
index = web

0 Karma
Highlighted

Re: How to see www* as host from secure.log and access.log ?

Splunk Employee
Splunk Employee

Yes they will.

0 Karma
Highlighted

Re: How to see www* as host from secure.log and access.log ?

During search when I putting index=web, it shows all individual host for access.log. But from Welcome screen, I can not see sourcetype as access.log.

0 Karma
Highlighted

Re: How to see www* as host from secure.log and access.log ?

Path Finder

Try this:

[monitor:///opt/log/www*/secure.log]
disabled = 0
host_segment = 3
sourcetype = secure.log
index = main

[monitor:///opt/log/www*/access.log]
disabled = 0
host_segment = 3
sourcetype = access.log
index = web

Let me know if that doesn't work.

0 Karma
Highlighted

Re: How to see www* as host from secure.log and access.log ?

Sorry, I tried it earlier but didn't work.

0 Karma
Highlighted

Re: How to see www* as host from secure.log and access.log ?

Path Finder

I tried this in my environment and its working perfectly

[monitor:///opt/log/www*/access.log]
index = web
host_segment = 3

[monitor:///opt/log/www*/secure.log]
host_segment = 3

Can you clear the fishbucket and try indexing the data again?

Thanks,
Pankaj

0 Karma