Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to see www* as host from secure.log and access.log ?

princemanto2580
Path Finder
‎12-15-2016 07:52 AM

Hello Splunkers,

I am forwarding logs from Universal Forwarder, to a Search Peer (Standalone Inderxer) and doing the search from a standalone Search Head. I have done as far from my understanding. How can I see access.log and secure.log from host www1 -www9.

Below is the inputs.conf of my UF: (log path:- /opt/logs/www1 - www9)

[default]
host = UF-01-248

[monitor:///opt/log/www*/secure.log]
disabled = 0
host_segment = 5
sourcetype = secure.log
index = main

[monitor:///opt/log/www*/access.log]
disabled = 0
host_segment = 9
sourcetype = access.log
index = web
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nkwong_splunk
Splunk Employee
Splunk Employee
‎12-19-2016 04:32 PM

You can use the host_segment attribute to choose any segment of the monitored path to be the host value. For example, a host_segment=3 setting should pick up the "www*" value from your above monitored path. Also, you can use regular expression with the host_regex attribute for more advanced ways to dynamically set the host value.

Here is the documentation and examples on how to dynamically setup the host value.
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Setadefaulthostforaninput#Dynamically_set_th...

View solution in original post

0 Karma
Reply
Solved! Jump to solution

pjvarjani
Path Finder
‎12-20-2016 02:04 AM

Try this:

[monitor:///opt/log/www*/secure.log]
disabled = 0
host_segment = 3
sourcetype = secure.log
index = main

[monitor:///opt/log/www*/access.log]
disabled = 0
host_segment = 3
sourcetype = access.log
index = web

Let me know if that doesn't work.

0 Karma
Reply
Solved! Jump to solution

princemanto2580
Path Finder
‎12-20-2016 05:56 AM

alt text

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

princemanto2580
Path Finder
‎12-20-2016 04:17 AM

Hi Pankaj,

I followed this method to remove the events and reindex the same logs.

  1. Used |delete to delete all the events on Search Head
  2. On each Indexer use ./splunk stop and then ./splunk clean eventdata -index _fishbucket
  3. On a Universal-Forwarder rm -rf /opt/splunkforwarder/var/lib/splunk/fishbucket/*
  4. Put the stanza as u mention on Deployment Server and done ./splunk reload deploy-server to reflect it on UF.

[monitor:///opt/log/www*/secure.log]
disabled = 0
host_segment = 3
sourcetype = secure.log
index = main

[monitor:///opt/log/www*/access.log]
disabled = 0
host_segment = 3
sourcetype = access.log
index = web

  1. On Indexer done ./splunk start
0 Karma
Reply
Solved! Jump to solution

princemanto2580
Path Finder
‎12-20-2016 03:34 AM

Sorry, I tried it earlier but didn't work.

0 Karma
Reply
Solved! Jump to solution

pjvarjani
Path Finder
‎12-20-2016 03:46 AM

I tried this in my environment and its working perfectly

[monitor:///opt/log/www*/access.log]
index = web
host_segment = 3

[monitor:///opt/log/www*/secure.log]
host_segment = 3

Can you clear the fishbucket and try indexing the data again?

Thanks,
Pankaj

0 Karma
Reply
Solved! Jump to solution
Solution

nkwong_splunk
Splunk Employee
Splunk Employee
‎12-19-2016 04:32 PM

You can use the host_segment attribute to choose any segment of the monitored path to be the host value. For example, a host_segment=3 setting should pick up the "www*" value from your above monitored path. Also, you can use regular expression with the host_regex attribute for more advanced ways to dynamically set the host value.

Here is the documentation and examples on how to dynamically setup the host value.
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Setadefaulthostforaninput#Dynamically_set_th...

0 Karma
Reply
Solved! Jump to solution

princemanto2580
Path Finder
‎12-21-2016 10:08 PM

During search when I putting index=web, it shows all individual host for access.log. But from Welcome screen, I can not see sourcetype as access.log.

0 Karma
Reply
Solved! Jump to solution

princemanto2580
Path Finder
‎12-19-2016 10:04 PM

Thanks for the update, but I achieved 50% as per my requirement. As I would like to send this access.log into index = web.

Below changes, will work ?

[monitor:///opt/log/]
disabled = 0
host_segment = 3

[monitor:///opt/log/]
disabled = 0
host_segment = 3
sourcetype = access.log
index = web

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎12-22-2016 01:26 AM

Yes they will.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-15-2016 08:53 AM

Try setting host_segment (which is basically on what level the host is available in file path/source) to 3 for both. Seems like 3rd portion of the path is what you want as host. 

In /opt/log/www*/ : opt-1st, log-2nd, www*-3rd
0 Karma
Reply
Solved! Jump to solution

princemanto2580
Path Finder
‎12-15-2016 09:16 AM

Thanks for reviewing my post. You mean to say like below,

[default]
host = UF-01-248

[monitor:///opt/log/www*/secure*]
disabled = 0
host_segment = 5
sourcetype = secure.log
index = main

[monitor:///opt/log/www*/access*]
disabled = 0
host_segment = 9
sourcetype = access.log
index = web

My requirement is to see www1, www2 etc as individual host from Search Head with individual access.log or secure.log

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...