topic Re: Splunk sourcetype naming convention in Getting Data In

Splunk sourcetype naming convention

gauravmsharma — Mon, 21 Sep 2020 09:15:30 GMT

I am dynamically extracting a sourctype using props.conf and tranform.conf file. But the extraction is not working as expected.

The soucetype i am extracting is "eu_test_splunktest_internal_dev" but it seems the splunk is only displaying "eu_test_ "as a sourctype and it's trimming rest of the part.

Is there a splunk offical page which defines any kind of restriction on sourctype name or i can have the mentioned name as a sourctype?

Re: Splunk sourcetype naming convention

gcusello — Mon, 21 Sep 2020 09:24:43 GMT

Hi @gauravmsharma,

when you say "dynamically extracting a sourctype using props.conf and tranform.conf file", you mean the in the pros.conf stanza title you use the "eu_test_splunktest_internal_dev", is it correct?

I am not aware that there are limits in the length of the sourcetypes, but for safety you could try to add a sourcetype using the web gui [Settings -- Source types -- New Source type] and see if there's a limit.

For my knowledge the only limit is to not use some special chars like *, ", <, >, etc...

Check the props.conf to see if there aren't spaces in the sourcetype stanza's title.

Ciao.

Giuseppe

Re: Splunk sourcetype naming convention

gauravmsharma — Mon, 21 Sep 2020 11:42:29 GMT

No, i am trying to overide the sourcetype using regex, as available in below documentation.

https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

The source type is override based on the regex which i have written in tranform.conf file.

Re: Splunk sourcetype naming convention

gcusello — Mon, 21 Sep 2020 12:20:48 GMT

Hi @gauravmsharma,

in my knowledge there isn't any reason to trim the sourcetype in overriding.

Have you the same problem using a sourcetype with the same number of chars but without special chars?

e.g.: eutestsplunktestinternaldev1234

If yes, there's an undocumented limit to the number of chars, so I hint to open a Case to Splunk Support.

If not, check the special chars you're using and see if you avoid to use them.

Ciao.

Giuseppe

Re: Splunk sourcetype naming convention

vikramyadav — Mon, 21 Sep 2020 12:52:20 GMT

If you want to override a source type, you must configure the setting in props.conf on the forwarder where the input is configured.

To override source type assignment, add a stanza for your source to props.conf . In the stanza, identify the source path, using regular expression (regex) syntax for flexibility if necessary. Then specify the source type by including a sourcetype attribute. For example:
[source::.../var/log/abc.log(.\d+)?]
sourcetype=abc

https://docs.splunk.com/Documentation/Splunk/8.0.6/Data/Bypassautomaticsourcetypeassignment

-----------------------------------------------------------
If this helps, your like will be appreciated. 😊

Re: Splunk sourcetype naming convention

gauravmsharma — Mon, 21 Sep 2020 13:00:59 GMT

This is not my query here.