Getting Data In

How can I monitor two access logs at once without using the regular host\source\sourcetype properties

shacham
Explorer

Hi,

Lets say I have 2 environments(TEST\PROD),
And in each one I have 2 brands with 2 diffrent access logs:
access-brand1.log, access-brand2.log

I'm trying to monitor them both but I'm already using my 'source' for the environments.
('host' and 'sourcetype' are also taken)
Is there any way I can still tell splunk to monitor them separately?

Thanks

0 Karma
1 Solution

mloven_splunk
Splunk Employee
Splunk Employee

I'd suggest leaving source to the default (the name of the file (or network port) that the data comes from). This will give the ability to search on individual file names.

To define logical groups within your environment, you can use tags as Anthony suggested.

View solution in original post

0 Karma

mloven_splunk
Splunk Employee
Splunk Employee

I'd suggest leaving source to the default (the name of the file (or network port) that the data comes from). This will give the ability to search on individual file names.

To define logical groups within your environment, you can use tags as Anthony suggested.

0 Karma

mloven_splunk
Splunk Employee
Splunk Employee

If both logs are in the access_combined format, you can just tell Splunk that they're access_combined logs.

[monitor:///path/to/access-brand1.log]
index = myindex
sourcetype = access_combined

[monitor:///path/to/access-brand2.log]
index = myindex
sourcetype = access_combined

The above stanzas should work.

0 Karma

mloven_splunk
Splunk Employee
Splunk Employee

And while that isn't "wrong", it's not really what source was meant for.

From the docs:

Source -
A default field that identifies the source of the event. In the case of data monitored from files and directories, source consists of the full pathname of the file or directory. In the case of a network-based source, the source field consists of the protocol and port, such as UDP:514.

0 Karma

shacham
Explorer

But I'm already using my 'source' for the environments...
for example: source=PROD

0 Karma

mloven_splunk
Splunk Employee
Splunk Employee

index=myindex sourcetype=access_combined source="/path/to/access-brand2.log"

EDITED to correct index...

0 Karma

shacham
Explorer

But then how I can filter between the two?
If I want to search only in access-brand2.log, How can I tell splunk to do it?

0 Karma

mloven_splunk
Splunk Employee
Splunk Employee

shacham,

I'm not really sure what you're asking. Maybe you can clarify?

If you want to monitor both files, you can do something like this:

[monitor:///path/to/access-brand1.log]
index = myindex
sourcetype = brand1_access

[monitor:///path/to/access-brand2.log]
index = myindex
sourcetype = brand2_access
0 Karma

shacham
Explorer

This is one solution, but I'm trying to use diffrent solutions beacuse I want to use automatically recognized source types(pretrained) like:'access_combined'.
Splunk already knows how to properly index pretrained source types and I think it's good practice to use it.

0 Karma

treinke
Builder

How about setting up tags?

http://docs.splunk.com/Documentation/Splunk/5.0.4/Knowledge/Abouttagsandaliases
http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Tagsconf

You can use tags to:
  • Help you track abstract field values, like IP addresses or ID numbers. For example, you could have an IP address related to your main office with the value 192.168.1.2. Tag that IPaddress value as mainoffice, and then search on that tag to find events with that IP address.
  • Use one tag to group a set of field values together, so you can search on them with one simple command. For example, you might find that you have two host names that relate to the same computer. You could give both of those values the same tag. When you search on that tag, Splunk returns events involving both host name values.
  • Give specific extracted fields multiple tags that reflect different aspects of their identity, which enable you to perform tag-based searches that help you quickly narrow down the results you want. To understand how this could work, see the following example.
There are no answer without questions
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...