I am pulling data from several linux hosts, each host has several users, and i am collecting data from each users llog folder. host1: /opt/ABC/log/logfile1 /opt/ABCDEV/log/logfile1 host2: /opt/ABC/log/logfile1 /opt/ABCLIVE/log/logfile1 This is my config from \Client panel\Dynamic Options: index=ABC sourcetype=host Logon | dedup source | rex field=source "\/.ABC(?.)\/lo.*" |eval Client=replace(Client,"\d","") | sort auto Command used to add file to monitor on each host: /opt/splunkforwarder/bin/splunk add monitor /opt//log/logfile1 -index ABC -sourcetype HOST The issue is that within Splunk home page, I have HOST , CLIENT However due to the generic username of 'ABC' on host1 & host2 it is resulting in only one entry for 'Client\source', so im missing a source for host2 ABC user. Ie: /opt/ABC/log/logfile1 /opt/ABCDEV/log/logfile1 /opt/ABCLIVE/log/logfile1 Is there a way that i can configure splunk in order to be able to identify the 'generic' user? ... View more