https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190681#M37953 <P>We are evaluating the regex pattern matching and sourcetype configurations (using props.conf + transforms.conf), but we are not sure if 3000+ patterns will be supported or not, and if supported, then what will be downside impact on forwarder/indexer. Will there be any performance impact due to (3000+) pattern matching?</P> Thu, 21 Aug 2014 20:23:43 GMT vganjare 2014-08-21T20:23:43Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190673#M37945 <P>Hi All,</P> <P>We have more than 3000 patterns which are used to classify events into multiple sourcetypes. What is the best way implementing this use-case?</P> <P>Thanks,<BR /> Vishal</P> Thu, 21 Aug 2014 17:04:15 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190673#M37945 vganjare 2014-08-21T17:04:15Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190674#M37946 <P>Can you elaborate and provide some examples? I am unclear about what the issue is and what has been tried to date.</P> Thu, 21 Aug 2014 17:32:56 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190674#M37946 dmaislin_splunk 2014-08-21T17:32:56Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190675#M37947 <P>We are having an application which generates different logs. The logs contains different exceptions from Java application and these exceptions are classified into four different categories:<BR /> 1. Escalate exceptions<BR /> 2. Non-escalate exceptions<BR /> 3. Ignore exceptions<BR /> 4. Unmatched exceptions<BR /> e.g. Anything starting with NullPointerException should go to Escalated exceptions (and escalated exceptions sourcetype)</P> Thu, 21 Aug 2014 17:41:51 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190675#M37947 vganjare 2014-08-21T17:41:51Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190676#M37948 <P>Try reading this blog as it will help you understand how to re-write sourcetypes based on pattern matching using transforms and props in Splunk:</P> <P><A href="http://blogs.splunk.com/2010/02/11/sourcetypes-gone-wild/">http://blogs.splunk.com/2010/02/11/sourcetypes-gone-wild/</A></P> Thu, 21 Aug 2014 20:09:06 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190676#M37948 dmaislin_splunk 2014-08-21T20:09:06Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190677#M37949 <P>And you want to set the metadata sourcetype at index time or are you ok with using an eval statement to set fieldname called escalated_exceptions=true for example? Sorry I am not quicker to respond, but I am in all day meetings this week off site.</P> Thu, 21 Aug 2014 20:09:41 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190677#M37949 dmaislin_splunk 2014-08-21T20:09:41Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190678#M37950 <P>The blog I referenced above gives a great example on how to rewrite sourcetypes based on regex patterns:</P> <P>In props.conf:</P> <P>[source::/path/to/sample.log]<BR /> TRANSFORMS-yummy = setCPSourcetype, setSyslogSourcetype</P> <P>In transforms.conf:</P> <P>[setCPSourcetype]<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = %PIX-<BR /> FORMAT = sourcetype::cisco-pix</P> <P>[setSyslogSourcetype]<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = \w+ \d+ \d+:\d+:\d+ \S+ \w+[\d+]:<BR /> FORMAT = sourcetype::syslog</P> Thu, 21 Aug 2014 20:13:17 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190678#M37950 dmaislin_splunk 2014-08-21T20:13:17Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190679#M37951 <P>We want to set the metadata sourcetype at index time.</P> Thu, 21 Aug 2014 20:13:29 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190679#M37951 vganjare 2014-08-21T20:13:29Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190680#M37952 <P>Correct, follow the example and blog above and at index time you can dynamically rewrite the sourcetype based on the patterns you define as the REGEX in the transforms.conf file.</P> Thu, 21 Aug 2014 20:17:09 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190680#M37952 dmaislin_splunk 2014-08-21T20:17:09Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190681#M37953 <P>We are evaluating the regex pattern matching and sourcetype configurations (using props.conf + transforms.conf), but we are not sure if 3000+ patterns will be supported or not, and if supported, then what will be downside impact on forwarder/indexer. Will there be any performance impact due to (3000+) pattern matching?</P> Thu, 21 Aug 2014 20:23:43 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190681#M37953 vganjare 2014-08-21T20:23:43Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190682#M37954 <P>If I were you I would just put everything into a few sourcetypes and use eventtypes vs. spending all those resources to rewrite the sourcetype.</P> Thu, 21 Aug 2014 20:43:10 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190682#M37954 dmaislin_splunk 2014-08-21T20:43:10Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190683#M37955 <P>Adding more details:</P> <P>We have 4 sourcetypes: .log, .out, .debug and .err<BR /> Phase-1: Apply 1000 patterns to filter out unwanted data using NullQueue and IndexQueue on Heavy Forwarder-<BR /> [log]<BR /> TRANSFORMS-set = setnull,setraw</P> <P>setnull=.<BR /> setraw=1000 patterns</P> <P>Phase-2: Apply Escalate, Non-Escalate patterns to this output using EXTRACT keyword in props.conf to in respective fields.<BR /> EXTRACT-esc=1000 patterns<BR /> EXTRACT-nonesc=2000 patterns<BR /> In this case, will there be any performance issue on Heavy forwarder and Indexer? Can Splunk handle 3000 patterns at search time and 1000 at parsing time?</P> Fri, 22 Aug 2014 05:02:36 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190683#M37955 meenal901 2014-08-22T05:02:36Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190684#M37956 <P>I second the idea of using eventtypes</P> Wed, 27 Aug 2014 11:40:06 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-match-more-than-3000-patterns-used-to/m-p/190684#M37956 Runals 2014-08-27T11:40:06Z