https://community.splunk.com/t5/Getting-Data-In/How-to-specify-source-stanza-for-non-file-input-types-in-props/m-p/366214#M66616 <P>I am trying to write some source:: stanzas in props.conf to forward data to another system. For file inputs (e.g., monitor type inputs), I can write [source::/path/to/file] and it works. However, I am wondering what would the part of source:: be for other source types such as windows event logs. For example, when I tried [source::Application] for matching Windows Application Event logs, it didn't work, but when I tried [source::WinEventLog:Application], it worked. </P> <P>My question is, is there a list of prefixes such as WinEventLog for input types other than file? For example, what would be the prefix patterns for Local Performance Monitoring, TCP/UDP, Registry Monitoring, Local Windows Host, Printer, Network monitoring etc? In lieu of prefix patterns, how would I write the source:: stanza for the above types?</P> Fri, 11 Aug 2017 03:42:12 GMT anton085 2017-08-11T03:42:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-specify-source-stanza-for-non-file-input-types-in-props/m-p/366214#M66616 <P>I am trying to write some source:: stanzas in props.conf to forward data to another system. For file inputs (e.g., monitor type inputs), I can write [source::/path/to/file] and it works. However, I am wondering what would the part of source:: be for other source types such as windows event logs. For example, when I tried [source::Application] for matching Windows Application Event logs, it didn't work, but when I tried [source::WinEventLog:Application], it worked. </P> <P>My question is, is there a list of prefixes such as WinEventLog for input types other than file? For example, what would be the prefix patterns for Local Performance Monitoring, TCP/UDP, Registry Monitoring, Local Windows Host, Printer, Network monitoring etc? In lieu of prefix patterns, how would I write the source:: stanza for the above types?</P> Fri, 11 Aug 2017 03:42:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-specify-source-stanza-for-non-file-input-types-in-props/m-p/366214#M66616 anton085 2017-08-11T03:42:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-specify-source-stanza-for-non-file-input-types-in-props/m-p/366215#M66617 <P>No there aren't any fix values. You can set source as required in the inputs.conf and then use the same in props.conf file.</P> Fri, 11 Aug 2017 05:14:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-specify-source-stanza-for-non-file-input-types-in-props/m-p/366215#M66617 hardikJsheth 2017-08-11T05:14:49Z https://community.splunk.com/t5/Getting-Data-In/How-to-specify-source-stanza-for-non-file-input-types-in-props/m-p/366216#M66618 <P>Hi anton085,<BR /> you can use also other default fields as sourcetype instead source.<BR /> I always prefer to use sourcetype instead source to make this.<BR /> Bye.<BR /> Giuseppe</P> Fri, 11 Aug 2017 07:27:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-specify-source-stanza-for-non-file-input-types-in-props/m-p/366216#M66618 gcusello 2017-08-11T07:27:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-specify-source-stanza-for-non-file-input-types-in-props/m-p/366217#M66619 <P>What if I wanted to forward only a particular source of a sourcetype? Setting a sourcetype would mean all sources will be forwarded, and I don't want that. I assumed there would be predefined values for sources that Splunk supports out of the box.</P> Fri, 11 Aug 2017 13:23:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-specify-source-stanza-for-non-file-input-types-in-props/m-p/366217#M66619 anton085 2017-08-11T13:23:20Z https://community.splunk.com/t5/Getting-Data-In/How-to-specify-source-stanza-for-non-file-input-types-in-props/m-p/366218#M66620 <P>I assumed there would be predefined values for sources (and sourcetypes) that Splunk supports out of the box.</P> Fri, 11 Aug 2017 13:24:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-specify-source-stanza-for-non-file-input-types-in-props/m-p/366218#M66620 anton085 2017-08-11T13:24:43Z