Thank you for the reply, I ended up taking a different approach with props and transforms and using regex to identify juniper logs and assign the sourcetype., which worked (although now the challenge is getting it to work with the Juniper Addon and CIM). That said, I'm relatively new to Splunk and wondering if that's the best solution, or should the solution be more inline with what you outlined. For the juniper logs, (all the same format), file system hierarchy is /mnt/syslog/YEAR/MONTH/juniper/<file>, however the primary syslog monitor is /mnt/syslog/YEAR/MONTH/<file>, which is where everything is dumped, except for what is identified as juniper, which now goes to the /juniper/<file>. Juniper logs are just the first ones we looked to properly identify, we still have to go back and break out the remaining source types such as apache, linux_secure, asterisk_*, access_combined, operating systems, etc... It's a bit of a mess to clean up without disruption current work flows. Thanks again! jrobb
... View more