Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Organizing Log Data In Splunk

shahamit
Explorer
‎04-18-2013 06:21 AM

I have installed Splunk 5.0.2 and a universal forwarder on one of the application servers to forward glassfish logs to splunk central servers.
After adding a monitor I see all the glassfish log files as individual sources on the Splunk Search dashboard. Instead I visualize the log data to be grouped into multiple logical/custom categories.

  1. Is there a way to tag log data while adding a monitor? Log files could then have multiple tags which could be seen as different source types. Logs from different servers tag'd with same tag would be clubbed under the same group. (Just as we tag questions on this discussion forums).
  2. Is there a way to customize the search dashboard to remove the source section? Our search use cases would never involve search through individual source files instead search would mostly be done on group of source files? Grouped into a logical category as a tag mentioned in the first point.
  3. How can we delete source or sourcetype from my splunk server? This is slightly a off topic question but since I want to reorganize my log data I would want to clean up old data and reconfigure the search dashboard.

Thank you.

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎04-18-2013 02:31 PM

  1. The standard way to label data in Splunk is to use the sourcetype field, with a sourcetype setting in your monitor stanza:

    [monitor:///var/log/glassfish]
    sourcetype=glassfish

source,sourcetype and host are all fields that can be tagged like any other in Splunk

  1. You can customise the dashboard by editing the XML for the dashboard_live to change the summary page. For example, you could replace the search with a query using the rest command to get a list of tags, like so : | rest /services/saved/tags count=0 | search field_name_value=host* | rename tag_name as tag | fields tag. I'm not sure that I'd recommend this though.

    1. You can't delete sources or sourcetypes as these are metadata about the indexed events. However you can alias sourcetypes to a new name.
0 Karma
Reply

shahamit
Explorer
‎04-18-2013 07:15 PM

Can I add multiple values to the sourcetype property? (as I mentioned in my question). Regarding my 3rd question about deleting source and sourcetypes, so there is no mechanism to clean up old data?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...