https://community.splunk.com/t5/Getting-Data-In/Is-there-a-better-way-to-edit-my-current-inputs-conf-for/m-p/237171#M46064 <P>All, </P> <P>I have a dozen+ inputs I am creating. I feel there there should be a smarter way of doing this. As you can see, I am naming the sourcetype after the log. </P> <PRE><CODE>[monitor:///opt/paidsearch/autopilot/logs/collateral.log] index=paidsearch sourcetype=paidsearch:collateral [monitor:///opt/paidsearch/autopilot/logs/partner.log] index=paidsearch sourcetype=paidsearch:partner </CODE></PRE> Fri, 07 Oct 2016 17:39:41 GMT daniel333 2016-10-07T17:39:41Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-better-way-to-edit-my-current-inputs-conf-for/m-p/237171#M46064 <P>All, </P> <P>I have a dozen+ inputs I am creating. I feel there there should be a smarter way of doing this. As you can see, I am naming the sourcetype after the log. </P> <PRE><CODE>[monitor:///opt/paidsearch/autopilot/logs/collateral.log] index=paidsearch sourcetype=paidsearch:collateral [monitor:///opt/paidsearch/autopilot/logs/partner.log] index=paidsearch sourcetype=paidsearch:partner </CODE></PRE> Fri, 07 Oct 2016 17:39:41 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-better-way-to-edit-my-current-inputs-conf-for/m-p/237171#M46064 daniel333 2016-10-07T17:39:41Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-better-way-to-edit-my-current-inputs-conf-for/m-p/237172#M46065 <P>Yes there is.<BR /> (NOTE I HAVEN'T TESTED THE BELOW)</P> <P>Collection layer (normally a universal forwarder):</P> <PRE><CODE> [monitor:///opt/paidsearch/autopilot/logs/*.log] index=paidsearch sourcetype=paidsearch:rename </CODE></PRE> <P>Parsing layer (before indexing, usually a heavy forwarder or indexer):</P> <PRE><CODE># props.conf [paidsearch:rename] TRANSFORMS-changesourcetype = set_paidsearch_sourcetype_from_filename # transforms.conf [set_paidsearch_sourcetype_from_filename] SOURCE_KEY = MetaData::Source REGEX = ([^\/]+)\.\w+$ FORMAT = paidsearch:$1 DEST_KEY = MetaData::Sourcetype WRITE_META = true </CODE></PRE> Fri, 07 Oct 2016 18:08:49 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-better-way-to-edit-my-current-inputs-conf-for/m-p/237172#M46065 javiergn 2016-10-07T18:08:49Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-better-way-to-edit-my-current-inputs-conf-for/m-p/237173#M46066 <P>There must be all kinds of ways - I create tiny little Java programs for this type of cases...</P> Fri, 07 Oct 2016 18:08:50 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-better-way-to-edit-my-current-inputs-conf-for/m-p/237173#M46066 ddrillic 2016-10-07T18:08:50Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-better-way-to-edit-my-current-inputs-conf-for/m-p/237174#M46067 <P>I usually think changing sourcetype is evil and should be avoided. But this is nice. I like it.</P> Fri, 07 Oct 2016 20:22:34 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-better-way-to-edit-my-current-inputs-conf-for/m-p/237174#M46067 twinspop 2016-10-07T20:22:34Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-better-way-to-edit-my-current-inputs-conf-for/m-p/237175#M46068 <P>inputs.conf</P> <PRE><CODE> [monitor:///opt/paidsearch/autopilot/logs] index=paidsearch sourcetype=paidsearch </CODE></PRE> <P>props.conf (at the same Splunk instance because this is input stage configuration)</P> <PRE><CODE> [source::/opt/paidsearch/autopilot/logs/collateral.log] sourcetype=paidsearch:collateral [source::/opt/paidsearch/autopilot/logs/partner.log] sourcetype=paidsearch:partner </CODE></PRE> Mon, 10 Oct 2016 21:00:46 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-better-way-to-edit-my-current-inputs-conf-for/m-p/237175#M46068 Masa 2016-10-10T21:00:46Z