https://community.splunk.com/t5/Getting-Data-In/assign-sourcetype-based-upon-file-name/m-p/57268#M11188 <P>There is. You will need to specify this in your props/transforms files any where indexing is being performed.</P> <P><CODE>props.conf<BR /> [source::...regex_to_match_filename]<BR /> TRANSFORMS-fs = force-sourcetype-st</CODE></P> <P><CODE>transforms.conf<BR /> [force-sourcetype-st]<BR /> DEST_KEY = MetaData::Sourcetype<BR /> SOURCE_KEY = MetaData::Source<BR /> REGEX = YOUR_REGEX_TO_PULL_THE_FILENAME<BR /> FORMAT = sourcetype::$1<BR /> WRITE_META = true</CODE></P> <P>Referances<BR /> <CODE><A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Transformsconf" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/admin/Transformsconf</A></CODE><BR /> <CODE><A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf</A></CODE></P> Mon, 11 Mar 2013 13:12:52 GMT alacercogitatus 2013-03-11T13:12:52Z https://community.splunk.com/t5/Getting-Data-In/assign-sourcetype-based-upon-file-name/m-p/57267#M11187 <P>Hi,</P> <P>Is there a way to dynamically assign sourcetype based upon input filename? </P> Mon, 11 Mar 2013 12:58:30 GMT https://community.splunk.com/t5/Getting-Data-In/assign-sourcetype-based-upon-file-name/m-p/57267#M11187 a212830 2013-03-11T12:58:30Z https://community.splunk.com/t5/Getting-Data-In/assign-sourcetype-based-upon-file-name/m-p/57268#M11188 <P>There is. You will need to specify this in your props/transforms files any where indexing is being performed.</P> <P><CODE>props.conf<BR /> [source::...regex_to_match_filename]<BR /> TRANSFORMS-fs = force-sourcetype-st</CODE></P> <P><CODE>transforms.conf<BR /> [force-sourcetype-st]<BR /> DEST_KEY = MetaData::Sourcetype<BR /> SOURCE_KEY = MetaData::Source<BR /> REGEX = YOUR_REGEX_TO_PULL_THE_FILENAME<BR /> FORMAT = sourcetype::$1<BR /> WRITE_META = true</CODE></P> <P>Referances<BR /> <CODE><A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Transformsconf" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/admin/Transformsconf</A></CODE><BR /> <CODE><A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf</A></CODE></P> Mon, 11 Mar 2013 13:12:52 GMT https://community.splunk.com/t5/Getting-Data-In/assign-sourcetype-based-upon-file-name/m-p/57268#M11188 alacercogitatus 2013-03-11T13:12:52Z https://community.splunk.com/t5/Getting-Data-In/assign-sourcetype-based-upon-file-name/m-p/57269#M11189 <P>alacercogitatus's answer is certainly correct. You can set the sourcetype at parsing time (typically on your indexer) with props and transforms. For some problems this is the way to go.</P> <P>However, if you want the sourcetype set up from the beginning, so you can control things like the "CHARSET" (encoding), NO_BINARY_CHECK and so on, then you can also control the sourcetype set at the input layer in tailing. For this to work, you need to be willing to put configuration on your forwarder, and it would look something like</P> <P>props.conf:</P> <PRE><CODE>[source::&lt; pattern &gt;] sourcetype = what_you_want </CODE></PRE> <P>&lt; pattern &gt; is whatever you need to match the file. The simplest thing that gets everything you want and doesn't get false positives is kind of a local decision, but often it looks something like:<BR /> <BR /><BR /> <BR /><BR /> <PRE><BR /> [source::/var/log/my_app/*.log]<BR /> sourcetype = my_app<BR /> </PRE><BR /> <BR /><BR /> <BR /></P> <P>If you use both these techniques, then the value set at the input layer will be used until it is possibly modified by the props/transforms pass. Usually though, you want to use one approach or the other for a particular dataset, lest you make things too confusing.</P> Mon, 28 Sep 2020 13:29:48 GMT https://community.splunk.com/t5/Getting-Data-In/assign-sourcetype-based-upon-file-name/m-p/57269#M11189 jrodman 2020-09-28T13:29:48Z https://community.splunk.com/t5/Getting-Data-In/assign-sourcetype-based-upon-file-name/m-p/57270#M11190 <P>alacercogitatus's answer does work, though the separators for the MetaData keys are single colons, not double, i.e.</P> <PRE><CODE>DEST_KEY = MetaData:Sourcetype SOURCE_KEY = MetaData:Source </CODE></PRE> <P>After that it worked great!</P> Mon, 14 Sep 2015 23:36:28 GMT https://community.splunk.com/t5/Getting-Data-In/assign-sourcetype-based-upon-file-name/m-p/57270#M11190 mbonsack_splunk 2015-09-14T23:36:28Z