Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Organizing Log Data In Splunk

shahamit
Explorer
‎04-18-2013 06:21 AM

I have installed Splunk 5.0.2 and a universal forwarder on one of the application servers to forward glassfish logs to splunk central servers.
After adding a monitor I see all the glassfish log files as individual sources on the Splunk Search dashboard. Instead I visualize the log data to be grouped into multiple logical/custom categories.

  1. Is there a way to tag log data while adding a monitor? Log files could then have multiple tags which could be seen as different source types. Logs from different servers tag'd with same tag would be clubbed under the same group. (Just as we tag questions on this discussion forums).
  2. Is there a way to customize the search dashboard to remove the source section? Our search use cases would never involve search through individual source files instead search would mostly be done on group of source files? Grouped into a logical category as a tag mentioned in the first point.
  3. How can we delete source or sourcetype from my splunk server? This is slightly a off topic question but since I want to reorganize my log data I would want to clean up old data and reconfigure the search dashboard.

Thank you.

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎04-18-2013 02:31 PM

  1. The standard way to label data in Splunk is to use the sourcetype field, with a sourcetype setting in your monitor stanza:

    [monitor:///var/log/glassfish]
    sourcetype=glassfish

source,sourcetype and host are all fields that can be tagged like any other in Splunk

  1. You can customise the dashboard by editing the XML for the dashboard_live to change the summary page. For example, you could replace the search with a query using the rest command to get a list of tags, like so : | rest /services/saved/tags count=0 | search field_name_value=host* | rename tag_name as tag | fields tag. I'm not sure that I'd recommend this though.

    1. You can't delete sources or sourcetypes as these are metadata about the indexed events. However you can alias sourcetypes to a new name.
0 Karma
Reply

shahamit
Explorer
‎04-18-2013 07:15 PM

Can I add multiple values to the sourcetype property? (as I mentioned in my question). Regarding my 3rd question about deleting source and sourcetypes, so there is no mechanism to clean up old data?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...