![]() on the first Heavy Forwarder you logs pass through or on Indexers (if there isn't ant HF).īeware choosing the sourcetype that the Fortigate Add-On make a sourcetype transformation, so use the correct one that you can identify running a search on your logs. Then you have to apply the procedure described at. So you have to analyze your logs and identify the ones that you think aren't so useful for your purposes, in details, you have to find one or more regexes to filter these events. You can find it in $SPLUNK_HOME/etc/system/default/transforms.Hi logs are usually the most important license consumer!Īnyway, you can filter your events deleting some events before indexing: in this way you limit the license consuption, but you loose data that could be useful. To start, you can use the regular expression that Splunk software typically uses to extract the host field for syslog events. You find that you need to apply a particular source type called my_log to data originating from three specific hosts, host1, host2, and host3, reaching your instance through the UDP514 input. Your Splunk platform instance indexes a wide range of data from a number of hosts through this input. Suppose that you have a shared UDP input, UDP514. The name of the stanza you created in nfĮxample: Assign a source type to events from a single input but different hosts
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |