topic Re: Defining custom sourcetype based on log file path in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Defining-custom-sourcetype-based-on-log-file-path/m-p/30639#M5380 <P>Are you using Splunk's deployment server to manage forwarder configurations? That should be the best way to solve the issue. </P> <P>Otherwise, you could use props/transforms stanzas to override the sourcetype assignment at runtime. You could run a regex on the "source" field and assign a predefined sourcetype if the event matches the regex. You can find lots of details here: <A href="http://www.splunk.com/base/Documentation/latest/Admin/Advancedsourcetypeoverrides" rel="nofollow">http://www.splunk.com/base/Documentation/latest/Admin/Advancedsourcetypeoverrides</A></P> Sun, 23 Jan 2011 01:09:23 GMT Paolo_Prigione 2011-01-23T01:09:23Z Defining custom sourcetype based on log file path https://community.splunk.com/t5/Getting-Data-In/Defining-custom-sourcetype-based-on-log-file-path/m-p/30638#M5379 <P>We have a forwarder/receiver topology configured here. Each of the 200 or so servers have a light forwarder their info to the main indexer/receiver.</P> <P>My challenge is that many of these machines are generating a custom source type.</P> <P>We are currently defining the custom source types in a .conf file at the forwarding machine. unfortunately, this creates somewhat of a management problem given the number of machines.</P> <P>is there way to define custom source types in .conf at the Receiver/Indexer?</P> Sat, 22 Jan 2011 23:20:28 GMT https://community.splunk.com/t5/Getting-Data-In/Defining-custom-sourcetype-based-on-log-file-path/m-p/30638#M5379 jcbrendsel 2011-01-22T23:20:28Z Re: Defining custom sourcetype based on log file path https://community.splunk.com/t5/Getting-Data-In/Defining-custom-sourcetype-based-on-log-file-path/m-p/30639#M5380 <P>Are you using Splunk's deployment server to manage forwarder configurations? That should be the best way to solve the issue. </P> <P>Otherwise, you could use props/transforms stanzas to override the sourcetype assignment at runtime. You could run a regex on the "source" field and assign a predefined sourcetype if the event matches the regex. You can find lots of details here: <A href="http://www.splunk.com/base/Documentation/latest/Admin/Advancedsourcetypeoverrides" rel="nofollow">http://www.splunk.com/base/Documentation/latest/Admin/Advancedsourcetypeoverrides</A></P> Sun, 23 Jan 2011 01:09:23 GMT https://community.splunk.com/t5/Getting-Data-In/Defining-custom-sourcetype-based-on-log-file-path/m-p/30639#M5380 Paolo_Prigione 2011-01-23T01:09:23Z