topic Re: Sourcetype Override in Getting Data In

Sourcetype Override

kenchisho — Fri, 03 Feb 2012 14:42:27 GMT

Hi guys... I have a couple of script inputs that generate network status data... the issue is that a single script inputs data for multiple sourcetypes... The data itself has a filed sourcetype=$value$

is there a simple way to override the default sourcetype "exec" like for host override:

[sourcetype-override]
REGEX = (?i)sourcetype=(\w+)
FORMAT = sourcetype::$1
DEST_KEY = MetaData:SourceType

Re: Sourcetype Override

piebob — Fri, 03 Feb 2012 19:03:53 GMT

if your events can be identified via regex, you can do this:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

you'll need to do this on the indexer--this won't work on the forwarder, unless it's a 'heavy forwarder'.

Re: Sourcetype Override

kenchisho — Mon, 28 Sep 2020 10:23:29 GMT

thnx. i'we seen the guide but this will not work in this case... the examples in the guide match a regex and then based on that match set the source type manually...

[some_stanza]
REGEX = some_regex
FORMAT = sourcetype::my_log (manually set source type to my_log)
DEST_KEY = MetaData:Sourcetype

This would require a stanza in props.conf for every source type i wish to have for a single scripted input source...

what i am trying is to extract the source type itself using a regex and route those events to that source type...