I have a large number of Mid-Tier systems. Each one is associated with a specific set of IIS logs. Unfortunately the logs all have the same name. They are, however, stored in different folder structures based on the Mid-Tier name. All on the same Top Tier machine.
What I need to do is to be able to differentiate between all these log files based on the Mid-Tier name. Ideally what I would like to do is assign a specific sourcetype to each Mid-Tier and then use a lookup table to get the sourcetype by searching for the specific Mid-Tier. Then pass the sourcetype to a search so that data related to that specific Mid-Tier is returned from the correct set of logs, based on the sourcetype.
Is this even possible?
The "source" field contains the filename of the log that got indexed. I've set up a field extraction, based on the source field, to identify a part of the directory path to indicate the "type" of web instance I was looking at. Then, you can use it as a search parameter.
You could also use a lookup on the sourcetype as you've indicated. However, doing so means that you're maintaining a list of several sourcetypes, even though the data has the same shape (and would therefore typically be the same sourcetype). If I'm mistaken about that, and you do genuinely have different sourcetypes, then by all means, key this Mid-Tier field from the sourcetype.
The "source" field contains the filename of the log that got indexed. I've set up a field extraction, based on the source field, to identify a part of the directory path to indicate the "type" of web instance I was looking at. Then, you can use it as a search parameter.
You could also use a lookup on the sourcetype as you've indicated. However, doing so means that you're maintaining a list of several sourcetypes, even though the data has the same shape (and would therefore typically be the same sourcetype). If I'm mistaken about that, and you do genuinely have different sourcetypes, then by all means, key this Mid-Tier field from the sourcetype.
Of course! I was totally blind to the source itself. The Mid-Tier name is embedded in teh source path. I can pull the Mid-Tier name form the path and dispense with different sourcetypes.