Getting Data In

Organizing Log Data In Splunk


I have installed Splunk 5.0.2 and a universal forwarder on one of the application servers to forward glassfish logs to splunk central servers.
After adding a monitor I see all the glassfish log files as individual sources on the Splunk Search dashboard. Instead I visualize the log data to be grouped into multiple logical/custom categories.

  1. Is there a way to tag log data while adding a monitor? Log files could then have multiple tags which could be seen as different source types. Logs from different servers tag'd with same tag would be clubbed under the same group. (Just as we tag questions on this discussion forums).
  2. Is there a way to customize the search dashboard to remove the source section? Our search use cases would never involve search through individual source files instead search would mostly be done on group of source files? Grouped into a logical category as a tag mentioned in the first point.
  3. How can we delete source or sourcetype from my splunk server? This is slightly a off topic question but since I want to reorganize my log data I would want to clean up old data and reconfigure the search dashboard.

Thank you.

0 Karma

Splunk Employee
Splunk Employee
  1. The standard way to label data in Splunk is to use the sourcetype field, with a sourcetype setting in your monitor stanza:


source,sourcetype and host are all fields that can be tagged like any other in Splunk

  1. You can customise the dashboard by editing the XML for the dashboard_live to change the summary page. For example, you could replace the search with a query using the rest command to get a list of tags, like so : | rest /services/saved/tags count=0 | search field_name_value=host* | rename tag_name as tag | fields tag. I'm not sure that I'd recommend this though.

    1. You can't delete sources or sourcetypes as these are metadata about the indexed events. However you can alias sourcetypes to a new name.
0 Karma


Can I add multiple values to the sourcetype property? (as I mentioned in my question). Regarding my 3rd question about deleting source and sourcetypes, so there is no mechanism to clean up old data?

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...