I'm totally lost trying to decipher the impossibly dense abstract documentation here. I need to do something that I'd hope is simple, with a full example really needed. I am getting nowhere fast trying to wrap my mind around the circularly-referencing docs here none of which having CLI examples at all....
The problem - I have a variety of Linux VMs running universal forwarders, forwarding syslogs and custom logs and the like to the central Splunk server we've set up. We tend to try to notionally categorize each VM into groups that make sense for us (ie, product-ABC-production-servers, or product-XYZ-development-servers or the like).
- How do I define things on the forwarder computers to have all the data from that system categorized so we can filter our searches etc. based on that categorization/tagging/bucketing/whatever-word-you-want-to-use ?
- What would a typical inputs.conf file entry for forwarding /var/log/messages look like ?
- What other file(s) do I need to edit to make the tagging/annotating happen ?
- What would a working example of 'those' files look like ?
↧
How to implement tagging on a universal forwarder to categorize data so we can filter our searches?
↧