Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I seperate different data after splunk forward

perlish
Communicator
‎10-05-2012 08:04 AM

hi,my log center hava many data was recived through two forward,
for example, the ssh log of 192.168.1.100 firstly send to forward 1 ,and then forward 1 send the ssh log to log center
the php log of 192.168.1.100 firstly send to forward 2 , and then the forward 2 send the php log to log center
but in the log center, it only show host 192.168.1.100

How can i separate ssh log and php log, i want`t separate these by the content,
Because this will need to search all content, will spend lots of time.

Who can you help me?

Thanks.

Tags (2)
0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-05-2012 10:50 AM

Please take a look at this information from our online documentation. You should have a separate sourcetype for ssh logs and for php logs.

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Whysourcetypesmatter
http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configureyourinputs

Below is the list of pretrained sourcetypes in Splunk.

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Listofpretrainedsourcetypes

Example when you bring ssh logs into splunk they should have the sourcetype linux_secure. In the inputs.conf file on the forwarder it should say sourcetype=linux_secure in the monitoring stanza. That will allow splunk to break out the appropriate fields for you at search time.

0 Karma
Reply

bmacias84
Champion
‎10-05-2012 10:15 AM

Could you clarify? What is log center, an indexer? So do you have UF on server 192.168.1.100? If not how does 192.168.1.100 send data to forwarder? Are you using UFs and intermedate forwarders?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl.  To make life better, use an ...

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Splunk Lantern is a Splunk customer success center that provides practical guidance from Splunk experts on key ...

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...