topic Re: Control index / sourcetype / Serverclass in Getting Data In

Control index / sourcetype / Serverclass

Ed_Alias — Tue, 24 Feb 2015 08:47:43 GMT

Hi,

i would like to document and control my splunk deployment configuration,

do you have some idea on how to get a table on wich i would get

Index | sourcetype | serverclass

Regards,

Re: Control index / sourcetype / Serverclass

markthompson — Tue, 24 Feb 2015 08:50:30 GMT

Can you explain in a bit more detail? I'm struggling to understand what you want to table.

Re: Control index / sourcetype / Serverclass

Ed_Alias — Tue, 24 Feb 2015 08:54:50 GMT

well, i would like to be able to know in indexes, what are the sourcetypes and who put data in these sourcetypes(by servevclasses).

by doing that i can control my serverclasses are working and up to date with what i want

Re: Control index / sourcetype / Serverclass

Ed_Alias — Tue, 24 Feb 2015 08:56:25 GMT

what configuration is responsible for writing in a particuliar sourcetype

Re: Control index / sourcetype / Serverclass

markthompson — Tue, 24 Feb 2015 08:59:20 GMT

Have you tried looking at metadata, you can use that to list sourcetypes etc?

Re: Control index / sourcetype / Serverclass

Ed_Alias — Tue, 24 Feb 2015 09:03:53 GMT

i got that seach from splunk answer :

wich list index | sourcetype

so now i need to know who puts data in a sourcetype..

Re: Control index / sourcetype / Serverclass

vinodmadaan — Tue, 24 Feb 2015 10:17:01 GMT

Hi Ed,

From what I know the sourcetype is the path from which the data is taken, I mean if splunk is taking the data from xyz.logs then source type is the path of this log file.

So to answer the question of who puts the data in source type: it is the server or the application creating the logs puts the data in the source type.

I guess I am answering what you are asking, please let me know if I am going out of the track.

Re: Control index / sourcetype / Serverclass

Ed_Alias — Tue, 24 Feb 2015 10:35:41 GMT

ok but you missunderstand me, the application creates logs it is not responsible for putting it in splunk.

it is the sourcetype and the deployed splunk application wich retrieve the application's logs and put it in a particuliar sourcetype .

Re: Control index / sourcetype / Serverclass

markthompson — Tue, 24 Feb 2015 10:39:46 GMT

Vinod I believe what Ed is trying to achieve is to list it in his map, not to have an answer to the question.

Re: Control index / sourcetype / Serverclass

diogofgm — Tue, 24 Feb 2015 12:00:12 GMT

with the following search you can get information about you inputs: index | sourcetype | app (where the input config is)

| rest https://localhost:8089/services/data/inputs/all | table index, sourcetype, eai:acl.app

This should give you a rough idea about the origin.
I haven't been able to test it further but with the following you might be able to get the app/ serverclass relation:

| rest https://localhost:8089/services/deployment/client/config

check the fields eai:acl.app and title for the relation

Re: Control index / sourcetype / Serverclass

diogofgm — Tue, 24 Feb 2015 16:53:44 GMT

This shows the serverclasses per app but i not sure if it can be used on any splunk instance other than the deployment server
| rest https://localhost:8089/services/deployment/server/applications | table title, serverclasses