https://community.splunk.com/t5/Splunk-Search/How-does-rule-based-sourcetype-works/m-p/110805#M183598 <P>In the below stanzas , both are having same source-type names, how the priority will be in assigning sourcetype?</P> <P>Has anybody used rule based sourcetype, any example will be more useful.</P> <P>in the beloe case <CODE>"MORE_THAN_75"</CODE> means no. of events ?</P> <P>Normal sourcetype : <STRONG>access_combined</STRONG></P> <PRE><CODE>[access_combined] pulldown_type = true maxDist = 28 MAX_TIMESTAMP_LOOKAHEAD = 128 REPORT-access = access-extractions SHOULD_LINEMERGE = False TIME_PREFIX = \[ </CODE></PRE> <P><STRONG>Rule Based</STRONG> Sourcetype : access_combined</P> <PRE><CODE>[rule::access_combined] sourcetype = access_combined MORE_THAN_75 = ^\S+ \S+ \S+ \S* ?\[[^\]]+\] "[^"]*" \S+ \S+ \S+ "[^"]*"$ </CODE></PRE> Thu, 19 Jun 2014 10:09:25 GMT splunker12er 2014-06-19T10:09:25Z https://community.splunk.com/t5/Splunk-Search/How-does-rule-based-sourcetype-works/m-p/110805#M183598 <P>In the below stanzas , both are having same source-type names, how the priority will be in assigning sourcetype?</P> <P>Has anybody used rule based sourcetype, any example will be more useful.</P> <P>in the beloe case <CODE>"MORE_THAN_75"</CODE> means no. of events ?</P> <P>Normal sourcetype : <STRONG>access_combined</STRONG></P> <PRE><CODE>[access_combined] pulldown_type = true maxDist = 28 MAX_TIMESTAMP_LOOKAHEAD = 128 REPORT-access = access-extractions SHOULD_LINEMERGE = False TIME_PREFIX = \[ </CODE></PRE> <P><STRONG>Rule Based</STRONG> Sourcetype : access_combined</P> <PRE><CODE>[rule::access_combined] sourcetype = access_combined MORE_THAN_75 = ^\S+ \S+ \S+ \S* ?\[[^\]]+\] "[^"]*" \S+ \S+ \S+ "[^"]*"$ </CODE></PRE> Thu, 19 Jun 2014 10:09:25 GMT https://community.splunk.com/t5/Splunk-Search/How-does-rule-based-sourcetype-works/m-p/110805#M183598 splunker12er 2014-06-19T10:09:25Z https://community.splunk.com/t5/Splunk-Search/How-does-rule-based-sourcetype-works/m-p/110806#M183599 <P>Hi splunker12er,</P> <P>the docs provide nice examples <A href="http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Configurerule-basedsourcetyperecognition#Examples">http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Configurerule-basedsourcetyperecognition#Examples</A> about rule based sourcetype assignment.</P> <P>Related to your example this means, if 75% or more of the input lines match the regex, then this sourcetype will be used.</P> <P>Cheers, MuS</P> Thu, 19 Jun 2014 11:56:47 GMT https://community.splunk.com/t5/Splunk-Search/How-does-rule-based-sourcetype-works/m-p/110806#M183599 MuS 2014-06-19T11:56:47Z