topic Re: sourcetype based upon host in Getting Data In

Is it possible to dynamically change sourcetype based upon host?

a212830 — Thu, 27 Oct 2022 15:54:17 GMT

Hi,

I have a logfile that contains lots of hosts (coming in from syslog). I want to dynamically change the sourcetype based upon the host value. (It has to be host, not just text in the stream). Is this possible? Not that there are numerous other inputs coming in on this system, some of which also contain these same hosts, but I don't want them included in this setup.

Re: sourcetype based upon host

okrabbe_splunk — Tue, 28 May 2013 02:13:04 GMT

You can match a host in props.conf and set a source type. Host stanzas override sourcetype stanza.

[syslog]

blah blah

[host::myserver*]
sourcetype=special_sourcetype

Even though the event came in as syslog, as long as the host stanza matches it will override syslog.

Here is the props.conf spec for more info:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Re: sourcetype based upon host

a212830 — Tue, 28 May 2013 10:28:39 GMT

Is the host stanza a sub-set of the syslog stanza? I have other inputs that will have the same hosts, but I don't want those modified.

Re: sourcetype based upon host

okrabbe_splunk — Mon, 28 Sep 2020 13:59:16 GMT

ok, if you need it dependent you can try this.

props.conf

[syslog]
TRANSFORMS-set_sourcetype = set_sourcetype

transforms.conf

[set_sourcetype]
FORMAT = new_sourcetype
REGEX = myserver
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype

Re: sourcetype based upon host

a212830 — Tue, 28 May 2013 15:08:39 GMT

Thanks. One last question - would it be possible to do this based upon a lookup? I did a search, but I don't see any examples of this being done.

Re: sourcetype based upon host

okrabbe_splunk — Tue, 28 May 2013 19:05:42 GMT

Unfortunately I do not know of a way to do this based on a lookup.

One thing I would say though is that sometimes it is easier to fix this on the way in rather than trying to fix it in Splunk.

Many times people will have their syslog receiver split out the syslog into different directories based on hosts and then you would just configure the SPlunk forwarder to map these directories to source types.

Re: sourcetype based upon host

a212830 — Wed, 29 May 2013 00:34:48 GMT

Thanks. Yes, I'm doing that on a linux system, but this is legacy stuff running on Solaris, and uses standard syslog daemons. Thanks for all the info.

Re: sourcetype based upon host

mkalyakin — Mon, 20 Jul 2020 10:13:43 GMT

better use this one

https://community.splunk.com/t5/Getting-Data-In/Using-props-transforms-to-assign-sourcetype-and-extract-fields/td-p/97512

Re: sourcetype based upon host

jfaldmomacu — Thu, 27 Oct 2022 15:35:54 GMT

This does not work anymore. I'm not sure if it would have ever worked, but according to the documentation sourcetype=something only works when applied to a source. A transforms.conf file is needed. The example given in another reply almost works, it was missing the "sourcetype::" on the FORMAT line.

[syslog]
TRANSFORMS-set_sourcetype = set_sourcetype

transforms.conf

[set_sourcetype]
FORMAT = sourcetype::new_sourcetype
REGEX = myserver
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype