I have installed Splunk 5.0.2 and a universal forwarder on one of the application servers to forward glassfish logs to splunk central servers. After adding a monitor I see all the glassfish log files as individual sources on the Splunk Search dashboard. Instead I visualize the log data to be grouped into multiple logical/custom categories.
- Is there a way to tag log data while adding a monitor? Log files could then have multiple tags which could be seen as different source types. Logs from different servers tag'd with same tag would be clubbed under the same group. (Just as we tag questions on this discussion forums).
- Is there a way to customize the search dashboard to remove the source section? Our search use cases would never involve search through individual source files instead search would mostly be done on group of source files? Grouped into a logical category as a tag mentioned in the first point.
- How can we delete source or sourcetype from my splunk server? This is slightly a off topic question but since I want to reorganize my log data I would want to clean up old data and reconfigure the search dashboard.
Thank you.