Getting Data In

Organizing Log Data In Splunk

shahamit
Explorer

I have installed Splunk 5.0.2 and a universal forwarder on one of the application servers to forward glassfish logs to splunk central servers.
After adding a monitor I see all the glassfish log files as individual sources on the Splunk Search dashboard. Instead I visualize the log data to be grouped into multiple logical/custom categories.

  1. Is there a way to tag log data while adding a monitor? Log files could then have multiple tags which could be seen as different source types. Logs from different servers tag'd with same tag would be clubbed under the same group. (Just as we tag questions on this discussion forums).
  2. Is there a way to customize the search dashboard to remove the source section? Our search use cases would never involve search through individual source files instead search would mostly be done on group of source files? Grouped into a logical category as a tag mentioned in the first point.
  3. How can we delete source or sourcetype from my splunk server? This is slightly a off topic question but since I want to reorganize my log data I would want to clean up old data and reconfigure the search dashboard.

Thank you.

0 Karma

dart
Splunk Employee
Splunk Employee
  1. The standard way to label data in Splunk is to use the sourcetype field, with a sourcetype setting in your monitor stanza:

    [monitor:///var/log/glassfish]
    sourcetype=glassfish

source,sourcetype and host are all fields that can be tagged like any other in Splunk

  1. You can customise the dashboard by editing the XML for the dashboard_live to change the summary page. For example, you could replace the search with a query using the rest command to get a list of tags, like so : | rest /services/saved/tags count=0 | search field_name_value=host* | rename tag_name as tag | fields tag. I'm not sure that I'd recommend this though.

    1. You can't delete sources or sourcetypes as these are metadata about the indexed events. However you can alias sourcetypes to a new name.
0 Karma

shahamit
Explorer

Can I add multiple values to the sourcetype property? (as I mentioned in my question). Regarding my 3rd question about deleting source and sourcetypes, so there is no mechanism to clean up old data?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...