https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173636#M34941 <P>Try this (put it on Heavy forwarder and restart)</P> <P>inputs.conf (same as before)</P> <PRE><CODE>[monitor:///splunk/F5] disabled = false sourcetype = f5 index = f5 blacklist = gz </CODE></PRE> <P>props.conf</P> <PRE><CODE>[f5] TIME_PREFIX = ^ TIME_FORMAT= %Y-%m-%dTO%H:%M:%S%:z TRANSFORMS-changeSourcetype1 = psm-set-sourcetype, asm-set-sourcetype [psm_log] [asm_log] </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[asm-set-sourcetype] DEST_KEY = MetaData:Sourcetype REGEX = (\sASM:\s) FORMAT = asm_log [psm-set-sourcetype] DEST_KEY = MetaData:Sourcetype REGEX = (\sPSM:\s) FORMAT = psm_log </CODE></PRE> Tue, 10 Mar 2015 16:36:16 GMT somesoni2 2015-03-10T16:36:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173635#M34940 <P>Hi,<BR /> I seem to be struggling in splitting log data from the heavy forwarder into several sourcetypes in an index.</P> <P>I have a network device sending logdata to the heavyforwarder via syslog which dumps it into a flat file.<BR /> The heavyforwarder reads the files and sends to the indexers.. All good so far.<BR /> Now what I'm trying to do is have 2 regexes split into 2 sourcetypes and everything else into the default sourcetype for that index.</P> <P>props.conf</P> <PRE><CODE> [asm_log] TIME_PREFIX = ^ TIME_FORMAT= %Y-%m-%dTO%H:%M:%S%:z TRANSFORMS-changeSourcetype1 = routeAsmlog, asm-set-sourcetype [psm_log] TIME_PREFIX = ^ TIME_FORMAT= %Y-%m-%dTO%H:%M:%S%:z TRANSFORMS-changeSourcetype2 = routePsmlog, psm-set-sourcetype </CODE></PRE> <P>transforms.conf</P> <PRE><CODE> [routeAsmlog] REGEX = (\sASM:\s) DEST_KEY = queue FORMAT = indexQueue [asm-set-sourcetype] DEST_KEY = MetaData:Sourcetype REGEX = (\sASM:\s) FORMAT = asm_log also tried FORMAT = sourcetype::f5:asm [routePsmlog] REGEX = (\sPSM:\s) DEST_KEY = queue FORMAT = indexQueue [psm-set-sourcetype] DEST_KEY = MetaData:Sourcetype REGEX = (\sPSM:\s) FORMAT = psm_log </CODE></PRE> <P>inputs.conf</P> <PRE><CODE> [monitor:///splunk/F5] disabled = false sourcetype = f5 index = f5 blacklist = gz also tried removing the sourcetype line </CODE></PRE> <P>Any idea where I'm going wrong?</P> <P>Thanks in advance<BR /> Steve</P> Tue, 10 Mar 2015 15:24:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173635#M34940 cdstealer 2015-03-10T15:24:24Z https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173636#M34941 <P>Try this (put it on Heavy forwarder and restart)</P> <P>inputs.conf (same as before)</P> <PRE><CODE>[monitor:///splunk/F5] disabled = false sourcetype = f5 index = f5 blacklist = gz </CODE></PRE> <P>props.conf</P> <PRE><CODE>[f5] TIME_PREFIX = ^ TIME_FORMAT= %Y-%m-%dTO%H:%M:%S%:z TRANSFORMS-changeSourcetype1 = psm-set-sourcetype, asm-set-sourcetype [psm_log] [asm_log] </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[asm-set-sourcetype] DEST_KEY = MetaData:Sourcetype REGEX = (\sASM:\s) FORMAT = asm_log [psm-set-sourcetype] DEST_KEY = MetaData:Sourcetype REGEX = (\sPSM:\s) FORMAT = psm_log </CODE></PRE> Tue, 10 Mar 2015 16:36:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173636#M34941 somesoni2 2015-03-10T16:36:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173637#M34942 <P>Thank you yet again for saving my frail sanity <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Worked like a charm!</P> Tue, 10 Mar 2015 17:14:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173637#M34942 cdstealer 2015-03-10T17:14:59Z https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173638#M34943 <P>Hi @cdstealer</P> <P>Glad @somesoni2 helped you find a solution <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> don't forget to officially accept his answer by clicking on "Accept" directly below the answer to resolve this post and for both of you to receive karma points. Thanks!</P> <P>Patrick</P> Tue, 10 Mar 2015 23:39:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173638#M34943 ppablo 2015-03-10T23:39:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173639#M34944 <P>Thanks Patrick.. completely forgot.. doh! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 11 Mar 2015 05:29:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173639#M34944 cdstealer 2015-03-11T05:29:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173640#M34945 <P>After splitting in to multiple source types how to set the default(here f5 source type ) to empty</P> Mon, 23 Mar 2015 12:35:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173640#M34945 vGreeshma 2015-03-23T12:35:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173641#M34946 <P>Sorry to resurrect an old thread due to my not understanding the solution given, but I have a very similar (if not exactly the same!) issue.</P> <P>I currently have one log file ( ba.mobile.log ) that gets fed into a single index ( ba_com_mobile_logs ) . The log file has custom events that all start with '|HDR1|' which I have created a custom source type call ba.com_activity_log. There is also loads of xml data in the same log file that I would like treat as a separate sourcetype but still have the messages in the same index.</P> <P>Is this possible or should I split the two source types into two indexes. If it is possible, what the heck do I put into my props and transforms configs?</P> <P>The $SPLUNK_HOME/etc/apps/search/local/inputs.conf file on my forwarder looks like...</P> <P>[monitor::///ba/ba.mobile.log]<BR /> index=ba_com_mobile_logs<BR /> sourcetype=ba.com_activity_log</P> Tue, 29 Sep 2020 06:57:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173641#M34946 markwymer 2020-09-29T06:57:09Z https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173642#M34947 <P>Sorry, I also meant to add.....</P> <P>Thanks for any help.</P> Wed, 12 Aug 2015 07:27:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173642#M34947 markwymer 2015-08-12T07:27:17Z https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173643#M34948 <P>The above suggestion is not correct since it didn't succeeded for me. I changed the following format:<BR /> ` [asm-set-sourcetype]<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = (\sASM:\s)<BR /> FORMAT = sourcetype:asm_log</P> <P>[psm-set-sourcetype]<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = (\sPSM:\s)<BR /> FORMAT = sourcetype:psm_log`</P> Tue, 29 Sep 2020 11:37:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-log-into-multiple-sourcetypes-on-a-heavy/m-p/173643#M34948 mbschriek 2020-09-29T11:37:15Z