https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-split-a-single-large-file-into-2/m-p/116120#M24252 <P>Yes it is possible, but you could do it before the indexing-time of the data pipeline, since override a sourcetype occurs at parse-time.<BR /> I hope this could help you. <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Advancedsourcetypeoverrides">http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Advancedsourcetypeoverrides</A> </P> Thu, 26 Mar 2015 15:44:32 GMT stephanefotso 2015-03-26T15:44:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-split-a-single-large-file-into-2/m-p/116119#M24251 <P>Hi ,</P> <P>I have a single source which has a huge number of events. These events are broadly classified into two groups and all are present in the same file single file. Now, my requirement is to get the file indexed into a single index as called "myindex" and have two different sourcetypes "group1" and "group2". group1 and group2 category in the file is distinguihsed with the help of the keyword XXX and YYY in my log file.for example XXX denotes group1 and YYY denotes group2.</P> <P>Here is the sample of log file.</P> <P>// mylog_sample.txt</P> <PRE><CODE>24-08-2014 10:23:34 12e,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:35 12e,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:36 1w2,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:37 12e,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:39 122,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 25-08-2014 10:23:34 12e,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:35 12e,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:36 1w2,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:37 12e,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:39 122,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 </CODE></PRE> <P>All the data is present in the same file. Now i want to split the whole data into two different sourcetypes "group1" and "group2" in a single index.</P> <P>so if i search the data with:</P> <PRE><CODE>index="myindex" sourcetype="group1" </CODE></PRE> <P>it should list the following data ..</P> <PRE><CODE>24-08-2014 10:23:34 12e,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:35 12e,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:36 1w2,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:37 12e,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:39 122,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 </CODE></PRE> <P>and if I search with the following:</P> <PRE><CODE>index="myindex" sourcetype="group2" </CODE></PRE> <P>it should list the following data ..</P> <PRE><CODE>25-08-2014 10:23:34 12e,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:35 12e,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:36 1w2,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:37 12e,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:39 122,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 </CODE></PRE> <P>Any help on the above use case. I used to transforms.conf, but no luck on separation. Please post the proper configuration that helps and suits the requirement.</P> <P>Many thanks.<BR /> Rakesh.</P> Thu, 26 Mar 2015 13:02:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-split-a-single-large-file-into-2/m-p/116119#M24251 rakesh_498115 2015-03-26T13:02:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-split-a-single-large-file-into-2/m-p/116120#M24252 <P>Yes it is possible, but you could do it before the indexing-time of the data pipeline, since override a sourcetype occurs at parse-time.<BR /> I hope this could help you. <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Advancedsourcetypeoverrides">http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Advancedsourcetypeoverrides</A> </P> Thu, 26 Mar 2015 15:44:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-split-a-single-large-file-into-2/m-p/116120#M24252 stephanefotso 2015-03-26T15:44:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-split-a-single-large-file-into-2/m-p/116121#M24253 <P>Thanks for the update stephan. but this seems not working below is my configuration.</P> <P>// inputs.conf</P> <P>[monitor:///opt/splunk/splunkInput/mylog_sample.txt]<BR /> disabled = false<BR /> followTail = 0<BR /> recursive = false<BR /> sourcetype = temp<BR /> index = myindex</P> <P>// transforms.conf</P> <P>[set_group1_routing]<BR /> REGEX = XXX<BR /> FORMAT = sourcetype::group1<BR /> DEST_KEY = MetaData:Sourcetype</P> <P>[set_group2_routing]<BR /> REGEX = YYY<BR /> FORMAT = sourcetype::group2<BR /> DEST_KEY = MetaData:Sourcetype</P> <P>// props.conf</P> <P>[group1]<BR /> TRANSFORMS-350_routing=set_group1_routing<BR /> DATETIME_CONFIG = CURRENT<BR /> MAX_TIMESTAMP_LOOKAHEAD = 150<BR /> NO_BINARY_CHECK = 1<BR /> SHOULD_LINEMERGE = false</P> <P>[group2]<BR /> TRANSFORMS-350_routing=set_group2_routing<BR /> DATETIME_CONFIG = CURRENT<BR /> MAX_TIMESTAMP_LOOKAHEAD = 150<BR /> NO_BINARY_CHECK = 1<BR /> SHOULD_LINEMERGE = false</P> <P>Help me if am missing something. thanks in advance <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 28 Sep 2020 19:21:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-split-a-single-large-file-into-2/m-p/116121#M24253 rakesh_498115 2020-09-28T19:21:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-split-a-single-large-file-into-2/m-p/116122#M24254 <P>Are you using a heavy forwarder? Where do you put this configuration? Is it your indexer?</P> Fri, 27 Mar 2015 16:22:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-split-a-single-large-file-into-2/m-p/116122#M24254 vincenteous 2015-03-27T16:22:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-split-a-single-large-file-into-2/m-p/116123#M24255 <P>it looks like your data will be sending with a sourcetype of temp intially. So your props can probably look more like this</P> <P>[temp]<BR /> DATETIME_CONFIG = CURRENT<BR /> MAX_TIMESTAMP_LOOKAHEAD = 150<BR /> NO_BINARY_CHECK = 1<BR /> SHOULD_LINEMERGE = false<BR /> TRANSFORMS-350_routing=set_group1_routing, set_group2_routing</P> <P><A href="https://community.splunk.com/Search%20Time%20settings" target="_blank">group1</A></P> <P><A href="https://community.splunk.com/Search%20Time%20settings" target="_blank">group2</A></P> <P>So the data will come in with a sourcetype of "temp" and hit your props. So along with the timestamp/linebreak settings, your transforms will be applied which will set the new sourcetype accordingly. </P> <P>Also, if you decide on creating field extractions or other search-time settings, they would be applied to/configured in the stanzas for those new sourcetypes you created - group1 and group2 </P> Mon, 28 Sep 2020 19:18:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-split-a-single-large-file-into-2/m-p/116123#M24255 maciep 2020-09-28T19:18:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-split-a-single-large-file-into-2/m-p/116124#M24256 <P>No vincenteous... i am using this configuration at indexer .</P> Mon, 30 Mar 2015 09:08:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-split-a-single-large-file-into-2/m-p/116124#M24256 rakesh_498115 2015-03-30T09:08:22Z