I am pulling data from several linux hosts, each host has several users, and i am collecting data from each users llog folder.
host1:
/opt/ABC/log/logfile1
/opt/ABCDEV/log/logfile1
host2:
/opt/ABC/log/logfile1
/opt/ABCLIVE/log/logfile1
This is my config from \Client panel\Dynamic Options:
index=ABC sourcetype=host Logon | dedup source | rex field=source "\/.ABC(?.)\/lo.*" |eval Client=replace(Client,"\d","") | sort auto
Command used to add file to monitor on each host:
/opt/splunkforwarder/bin/splunk add monitor /opt//log/logfile1 -index ABC -sourcetype HOST
The issue is that within Splunk home page, I have HOST , CLIENT
However due to the generic username of 'ABC' on host1 & host2 it is resulting in only one entry for 'Client\source', so im missing a source for host2 ABC user.
Ie:
/opt/ABC/log/logfile1
/opt/ABCDEV/log/logfile1
/opt/ABCLIVE/log/logfile1
Is there a way that i can configure splunk in order to be able to identify the 'generic' user?
Your dedup is removing all the duplicated sources if I understand this correctly.
Why not use the host field for these sources? That will be unique... So do something similar as..
index=ABC sourcetype=host Logon | rex field=source "/opt\/(?P<Client>w+))\/" |stats count by host, Client
Your host field will be unique to each event. You can extract the Client name from the path and then do a dedup or stats count on it.. That will give you a unique count of events by host and by Client (username/ path on disk..)