Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I seperate different data after splunk forward

perlish
Communicator
‎10-05-2012 08:04 AM

hi,my log center hava many data was recived through two forward,
for example, the ssh log of 192.168.1.100 firstly send to forward 1 ,and then forward 1 send the ssh log to log center
the php log of 192.168.1.100 firstly send to forward 2 , and then the forward 2 send the php log to log center
but in the log center, it only show host 192.168.1.100

How can i separate ssh log and php log, i want`t separate these by the content,
Because this will need to search all content, will spend lots of time.

Who can you help me?

Thanks.

Tags (2)
0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-05-2012 10:50 AM

Please take a look at this information from our online documentation. You should have a separate sourcetype for ssh logs and for php logs.

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Whysourcetypesmatter
http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configureyourinputs

Below is the list of pretrained sourcetypes in Splunk.

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Listofpretrainedsourcetypes

Example when you bring ssh logs into splunk they should have the sourcetype linux_secure. In the inputs.conf file on the forwarder it should say sourcetype=linux_secure in the monitoring stanza. That will allow splunk to break out the appropriate fields for you at search time.

0 Karma
Reply

bmacias84
Champion
‎10-05-2012 10:15 AM

Could you clarify? What is log center, an indexer? So do you have UF on server 192.168.1.100? If not how does 192.168.1.100 send data to forwarder? Are you using UFs and intermedate forwarders?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...