Configuring splunk forwarder. Have duplicate usern...

stu6000 · ‎02-16-2015

I am pulling data from several linux hosts, each host has several users, and i am collecting data from each users llog folder.

host1:
/opt/ABC/log/logfile1
/opt/ABCDEV/log/logfile1

host2:
/opt/ABC/log/logfile1
/opt/ABCLIVE/log/logfile1

This is my config from \Client panel\Dynamic Options:

index=ABC sourcetype=host Logon | dedup source | rex field=source "\/.ABC(?.)\/lo.*" |eval Client=replace(Client,"\d","") | sort auto

Command used to add file to monitor on each host:

/opt/splunkforwarder/bin/splunk add monitor /opt//log/logfile1 -index ABC -sourcetype HOST

The issue is that within Splunk home page, I have HOST , CLIENT
However due to the generic username of 'ABC' on host1 & host2 it is resulting in only one entry for 'Client\source', so im missing a source for host2 ABC user.

Ie:

/opt/ABC/log/logfile1
/opt/ABCDEV/log/logfile1
/opt/ABCLIVE/log/logfile1

Is there a way that i can configure splunk in order to be able to identify the 'generic' user?

esix_splunk · ‎02-16-2015

Your dedup is removing all the duplicated sources if I understand this correctly.

Why not use the host field for these sources? That will be unique... So do something similar as..

index=ABC sourcetype=host Logon | rex field=source "/opt\/(?P<Client>w+))\/" |stats count by host, Client

Your host field will be unique to each event. You can extract the Client name from the path and then do a dedup or stats count on it.. That will give you a unique count of events by host and by Client (username/ path on disk..)

Configuring splunk forwarder. Have duplicate usernames over multiple linux hosts. How to identify unique source?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...