topic Re: inputs.conf - configure "source" in Getting Data In

inputs.conf - configure "source"

Gil — Mon, 23 Sep 2024 13:01:59 GMT

Hi all,

i have a monitor stanza in inputs.conf that monitor our organization proxy,

the logs are sent by syslog-ng

i have only one stanza that monitor 4 diff sources IP's from that proxy.

i want to configure diff "source" to each source ip's without seeing in the value (under the source field) the name of the log.
lets say the monitor path is (in the deployment server):
$SPLUNK_HOME/syslog/proxy/*/*.log

in the source field i will see:
$SPLUNK_HOME/syslog/proxy/<proxy_source_a|b|c|d>/<proxy_date_and_time>.log

i want the source to stop at proxy_source_a|b|c|d, example:
$SPLUNK_HOME/syslog/proxy/<proxy_source_a|b|c|d>/

is that possible?

Re: inputs.conf - configure "source"

dural_yyz — Mon, 23 Sep 2024 14:20:54 GMT

https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147386

https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98452

Here are 2 links demonstrating different use cases to replace source values with something for their particular use. Leveraging rex you can replace your source with the value and match you require. The process is the same even if the rex is different.

Re: inputs.conf - configure "source"

Gil — Mon, 23 Sep 2024 14:54:48 GMT

tried those 2 option already with no good results.

thank you.

Re: inputs.conf - configure "source"

PickleRick — Mon, 23 Sep 2024 17:47:41 GMT

You can rewrite any metadata field including source, sourcetype and host using transforms.

But, to be honest, I don't understand why you would want to lose information (the actual source file). You can always extract that info in search time if you want just the directory.

Re: inputs.conf - configure "source"

Gil — Tue, 24 Sep 2024 05:46:36 GMT

I'll probably make a meta field as you suggested,

I didn't wanted to do it at the start but it seems the only way.

Re: inputs.conf - configure "source"

PickleRick — Tue, 24 Sep 2024 07:33:23 GMT

No, wait.

source _is_ a metadata field already. You can use transforms to either cut it as you initially planned or to extract data from it to another indexed field. You can also use EXTRACT or REPORT to extract the field in search time.

There are many possibilities here.

Re: inputs.conf - configure "source"

Gil — Tue, 24 Sep 2024 09:30:38 GMT

i tried transforms and props yesterday and it didnt work,

but what is "EXTRACT or REPORT" you mention.

Re: inputs.conf - configure "source"

PickleRick — Tue, 24 Sep 2024 09:57:41 GMT

1. What _exactly_ did you try? And how it 'doesn't work'?

2. EXTRACT and REPORT are two settings which can be used for search-time extractions.

Re: inputs.conf - configure "source"

isoutamo — Sat, 28 Sep 2024 15:32:56 GMT

What is your current reason why you are trying this and what is your original issue which you are solving?