Splunk can be feed with either of the metadata fields: Hosts / source / sourcetype.
Better to use source / sourcetype as they remains with same value though Hosts value differs.
[monitor:///var/log/xxx.log]
disabled = false
index = xx
host = host1, host2.. #####optional
sourcetype = xxxxx
Splunk can be feed with either of the metadata fields: Hosts / source / sourcetype.
Better to use source / sourcetype as they remains with same value though Hosts value differs.
[monitor:///var/log/xxx.log]
disabled = false
index = xx
host = host1, host2.. #####optional
sourcetype = xxxxx
So you want to add another input source to your inputs.conf file.
You need to add a stanza to inputs.conf that identifies the new data source.
For example adding this stanza on *nix will monitor the /var/log/httpd directory for everything less than 7 days old and assign it the sourcetype= access_comm (which is typical for *nix web logs).
[monitor:///var/log/httpd]
index = main
sourcetype = access_common
ignoreOlderThan = 7d
For your additional applications you will want to assign new sourcetypes, like applicationABC and applicationXYZ if they have different formats. If they have the same format then you could call them both applicationlog.
Here is the link to inputs.conf.spec file online, it is also in your splunk directory.
http://docs.splunk.com/Documentation/Splunk/6.1.3/admin/inputsconf
After checking the log file I now release that the 3 host names all use the one log file . This being the case I need a Splunk search to return the same log data for any of the three host names entered in the search. Is this possible.
Shot in the dark here, but if you are trying to send data to a forwarder from more than 1 host, you can chain forwarders together, which allows you to send data from more than 1 forwarder to another, then send data to an indexer. Having said that, be careful: what you build you must also maintain. Simplicity rules!
Here is a link that discusses this: http://answers.splunk.com/answers/129546/chaining-universal-forwarder.html
Uhh, more details on what you're trying to achieve, what you tried and din't work, etc please?
My normal setup is one host application with log file per computer
However I have a situation where I have three host applications on the one PC that each create logs
I need to be able to pull the log data from all three applications, depending on the host search specification within splunk
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
host = host1 or host2 or host3
Hope this makes it a bit clearer
Is the host name in the log directory or part of the file name? If so, here is the doco how to do that: http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/setadefaulthostforaninput
Scroll down to "dynamic" to see how to dynamically set the host name dynamically based upon file or directory name.
Thanks barakreeves for the info.
After checking the log file I now release that the 3 host names all use the one log file . This being the case I need a Splunk search to return the same log data for any of the three host names entered in the search. Is this possible.