My webserver logs are sent to my indexers through a Universal Forwarder.
*Snippet from inputs.conf on the Universal Forwarder
[monitor:///path/to/apache/2.2/web/.../logs/*access_log]
disabled = false
sourcetype = access_combined
index = internet
followTail=0
With this configuration, we properly set the following fields
index = internet,
host = unixservername,
sourcetype = access_combined
The problem is, we need a field with the webserver name in segment 6 of the source:
/path/to/apache/2.2/web/.../logs/*access_log
We tried adding host_segment = 6 to the forwarder stanzas, but then we lose our true "host = unixservername" which is also necessary. Unfortunately, this information is NOT available anywhere but the source field.
So....
We can easily create a search time |rex for Splunk to process to pull the information:
|rex field=source "\/path\/to\/apache\/[0-9].[0-9]\/\w+\/(? .*?)\/"
This works well... however, I don't want my users to have to run this every time they search.
I would like the ability to add this as a Index time or Search time extraction through props and transforms -- preferably at the forwarder or indexer level. Any suggestions? Thanks for your help, ideas, and input! I'm stuck...
Jeremy
... View more