Getting Data In

Multiple files in one folder as one source


Hallo there,
i have Logs which are devided into 16000 line logs. In Splunk every part of the Log is an extra source.

What is the best way to work with them as a logical single Log?

Tags (2)
0 Karma


My best solution is to add a field with the folder name:

source="C:\\..\\Logs\\*" | rex field=source ".*[//\\\]+(?<folder>.*)[//\\\]+.[a-zA-Z.0-9]*"

than i can use it for timechart for example:

source="C:\\..\\Logs\\*" | rex field=source ".*[//\\\]+(?<folder>.*)[//\\\]+.[a-zA-Z.0-9]*" | timechart count by folder
0 Karma


Hi Moritz,

assign your own sourcetype to the monitor stanza in inputs.conf. This way you can search for the sourcetype instead of searching for source like this:

sourcetype=YourNewMagicSourceType | ....

or you simply search for all of your logs like this:

source=YourLogFiles* | .....

hope this helps ...

cheers, MuS

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!