topic Re: Change sourcetype in props.conf in Getting Data In

Change sourcetype in props.conf

dswanson99 — Thu, 23 Sep 2010 20:50:43 GMT

I have a lwf sending apache logs (/var/log/httpd/access.log) to an indexer and they're being sourcetyped as 'unknown'.

On the forwarder in props.conf I have:

[source::/var/log/httpd/access.log(.\d+)?]
sourcetype = apache_access

Assuming this is the correct place, what am I doing wrong. I think I might be able to also do a transform but thought I'd stick with this for now.

Thanks

Re: Change sourcetype in props.conf

Branden — Thu, 23 Sep 2010 21:16:04 GMT

I set my sourcetype in inputs.conf. Here's what my inputs.conf looks like:

[monitor:///etc/httpd/logs/ssl_access_log]
index=access
sourcetype=apache-access

Hope that helps!

Re: Change sourcetype in props.conf

dswanson99 — Thu, 23 Sep 2010 21:45:35 GMT

Yes that does help thanks, but then I have to break out my access logs into a separate input. Right now I'm watching all of /var/log and the access logs are within there.

Re: Change sourcetype in props.conf

Lowell — Thu, 23 Sep 2010 21:55:39 GMT

Your log files end up under /etc? That seems odd.

Re: Change sourcetype in props.conf

gkanapathy — Fri, 24 Sep 2010 12:40:15 GMT

Looks right to me, and you would much rather do this than a transform. are you sure the file isn't access_log vs access.log?

Re: Change sourcetype in props.conf

dswanson99 — Fri, 24 Sep 2010 19:30:12 GMT

I wish that was the problem, but no they're access.log.

Re: Change sourcetype in props.conf

brianirwin — Wed, 24 Nov 2010 23:22:03 GMT

If you have a file/directory that is matched in multiple regex patterns it is important to help Splunk know which one you want to win. Defaul priority is 100, and it is possible that you have something like /var/log defined with another sourcetype.

I would try changing the priority in your props.conf to be > 100, and maybe just use a regex at the end. You can specify what files to eat in your inputs.conf

props.conf [source::/var/log/httpd/access.log*] sourcetype = apache_access priority = 101

I hope that helps.

Re: Change sourcetype in props.conf

DUThibault — Mon, 05 Feb 2018 17:02:26 GMT

The forwarder's props.conf must have a force_local_processing = true clause in the appropriate sourcetype or source:: stanza. Be aware that this will make the forwarder's SEDCMD and TRANSFORMS clauses apply and prevent those on the indexer from applying. Forwarders cannot do any search-time extractions, transformations, lookups or aliasing.