Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk forwarder to add custom fields for multiple logs

z001k6jr
New Member
‎12-24-2015 03:15 AM

I have to setup Splunk for 100 servers, each server will have 5-10 JVMs, Each JVM generates 3-4 log files. I would like to index logs to a central Splunk server and along with data , I would also like to send custom fields. so that I can uniquely search JVM logs or different files. for example a NullPinterException in JVM= "ABC" and in log file Server.log or in jms.log.
How can I design the deployment and custom fields?

The deployment looks like the following
Server A->
JVM 1->
server.log
jakarta.log
httpd.log
jms.log
JVM 2->
server.log
jakarta.log
httpd.log
jms.log

Server B->
JVM 3->
server.log
jakarta.log
httpd.log
jms.log
JVM 4->
server.log
jakarta.log
httpd.log

Tags (1)
0 Karma
Reply

jchampagne_splu
Splunk Employee
Splunk Employee
‎01-07-2016 10:46 AM

Where are you writing the JVM logs to on the host? What's the full path?

You can use host_regex or host_segment to extract the JVM "hostname" out of the log file path. Splunk would then replace the built-in host field with that value.

http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/Inputsconf

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-28-2015 07:28 AM

How can I design the deployment and custom fields?

Sorry, but I'm not going to build the solution for you. I recommend you delete this question and only ask specific questions like... I get this error "complete error message" , how can I fix it? Not, I just got a new job as splunk admin and need to know how to setup deployment server and develop applications. The answer to your questions are covered in documentation, best practices, and splunk training sessions. All of which are available to you.

Reply

jplumsdaine22
Influencer
‎12-24-2015 01:24 PM

Just a question, have you run through the spunk tutorial? http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchTutorial/WelcometotheSearchTutorial

Also I recommend you give this a read first as well: http://docs.splunk.com/Documentation/Splunk/6.3.2/Indexer/Howindexingworks

People will definitely give you a hand but having some familiarity with the basics will make it easier of you to get the answers you need

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...