Hi,
I've set up a central forwarder to send all our apache logs to the indexes. Here is one of the monitor sections:
[monitor:///weblogs/catalogue/]
sourcetype = access_combined
whitelist=access_log.*[0-9].gz
index = apache_blah
host = apacheblah.com
ignoreOlderThan = 31d
recursive = true
However, I'm seeing this error in splunkd.log on the forwarder:
WARN TcpOutputProc - The event is missing source information. Event :
When I look at the source field, it is reporting the log filename. This is affecting me using Traffic Ray because the host information is using the source field.
How can I get the source section saying apache_blah.com or catalogue?
Regards
... View more