https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77991#M19730 <P>We have many different data sources which can only send on 514 UDP.</P> <P>I need to define the sourcetype based on the host value.</P> <P>I can see this can be done easily using a regex as described here</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.4/Data/Advancedsourcetypeoverrides">Advancedsourcetypeoverrides</A></P> <P>However we have thousands of hosts with no obvious naming conventions.</P> <P>so what i would want to do is maintain a list of hostnames and refernce that and say </P> <P>if in ListA; sourcetype=typeA<BR /> if in ListB; sourcetype=typeB</P> <P>etc</P> <P>i really dont want to have several huge regex like </P> <P>host1|host2|host3|host4|.................|host230|host231....</P> <P>there is also no easy way to to regex based on the pattern of the events!</P> <P>any ideas?!</P> Tue, 01 Oct 2013 10:17:09 GMT robf 2013-10-01T10:17:09Z https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77991#M19730 <P>We have many different data sources which can only send on 514 UDP.</P> <P>I need to define the sourcetype based on the host value.</P> <P>I can see this can be done easily using a regex as described here</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.4/Data/Advancedsourcetypeoverrides">Advancedsourcetypeoverrides</A></P> <P>However we have thousands of hosts with no obvious naming conventions.</P> <P>so what i would want to do is maintain a list of hostnames and refernce that and say </P> <P>if in ListA; sourcetype=typeA<BR /> if in ListB; sourcetype=typeB</P> <P>etc</P> <P>i really dont want to have several huge regex like </P> <P>host1|host2|host3|host4|.................|host230|host231....</P> <P>there is also no easy way to to regex based on the pattern of the events!</P> <P>any ideas?!</P> Tue, 01 Oct 2013 10:17:09 GMT https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77991#M19730 robf 2013-10-01T10:17:09Z https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77992#M19731 <P>Sorry, mechanisms like lookup are simply not available in that stage of the indexing pipeline. Lookups are pure search-time operations. Transforms like sourcetype rewriting, event filtering etc can be done with regexes only.</P> Tue, 01 Oct 2013 10:59:10 GMT https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77992#M19731 Ayn 2013-10-01T10:59:10Z https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77993#M19732 <P>thanks. so is the only way to do a huge regex as far as you know?</P> Tue, 01 Oct 2013 11:13:29 GMT https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77993#M19732 robf 2013-10-01T11:13:29Z https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77994#M19733 <P>Ayn is right, unfortunately. You can set up Splunk to listen on more than one port (515,516,517 etc) and specify in inputs.conf on the receiving end that dictates the sourcetype to be used;</P> <PRE><CODE>[udp://:514] connection_host = dns sourcetype = type_a [udp://:515] connection_host = dns sourcetype = type_b [udp://:516] connection_host = dns sourcetype = type_c </CODE></PRE> <P>Unfortunately, you'd need to reconfigure a substantial number of your hosts to send to another port. And all data coming from each host would have the same sourcetype. (though you could override it, of course).</P> <P>/K</P> Tue, 01 Oct 2013 11:24:47 GMT https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77994#M19733 kristian_kolb 2013-10-01T11:24:47Z https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77995#M19734 <P>thanks but unfortunately a number of devices cannot change their remote syslog port number</P> Tue, 01 Oct 2013 11:32:59 GMT https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77995#M19734 robf 2013-10-01T11:32:59Z https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77996#M19735 <P>Depending on your setup, i.e. if it's just the <EM>port</EM> that can't be changed, you might be able to do a similar operation, but by setting up a few syslog servers (rsyslog, splunk or other), and changing the destination ip on the sending hosts. </P> <P>Then you install a forwarder on each syslog server... and set the sourcetype in inputs.conf. A bit messy - to say the least - for the initial setup, but hopefully fairly straightforward once it's set up.</P> <P>/K</P> Tue, 01 Oct 2013 12:35:23 GMT https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77996#M19735 kristian_kolb 2013-10-01T12:35:23Z https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77997#M19736 <P>Hi robf,</P> <P>@Ayn and @kristian.kolb are both right, but you could try something like this and use a slim regex in <CODE>transforms.conf</CODE>:</P> <PRE><CODE>[yourHostTransforms] SOURCE_KEY = host DEST_KEY = MetaData:Sourcetype REGEX = host\d+ FORMAT = sourcetype::$1 </CODE></PRE> <P>I did something for an index re-write lately, but did not test it for sourcetype yet.</P> <P>hope this helps ...</P> <P>cheers, MuS</P> Fri, 05 Sep 2014 05:55:06 GMT https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77997#M19736 MuS 2014-09-05T05:55:06Z https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77998#M19737 <P>?? that would mean one sourcetype per host... assuming that you'd put the whole REGEX as capturing group. </P> <P>And the hosts were not named in such a fashion. .. and @robf has already been down that road.</P> Fri, 05 Sep 2014 08:13:11 GMT https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77998#M19737 kristian_kolb 2014-09-05T08:13:11Z https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77999#M19738 <P>Hi /k, I used the information available here in this post and showed an example what can be done. There is nothing mentioned about hosts not being named in such a fashion.</P> Fri, 05 Sep 2014 08:23:22 GMT https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/77999#M19738 MuS 2014-09-05T08:23:22Z https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/78000#M19739 <UL> <LI>"thousands of hosts with no obvious naming conventions". </LI> <LI>He wants 2 different sourcetypes.</LI> </UL> <P>But the post is almost a year old, and maybe he solved the problem already.</P> <P><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>/K</P> Fri, 05 Sep 2014 13:08:10 GMT https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/78000#M19739 kristian_kolb 2014-09-05T13:08:10Z https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/78001#M19740 <P>HeHe, let's call this selective memory <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Only the regex example for the hosts was left while writing it. Never mind, maybe someone else can use this.</P> <P>cheers, MuS</P> Fri, 05 Sep 2014 13:19:30 GMT https://community.splunk.com/t5/Splunk-Search/Define-sourctype-based-on-the-host-via-a-lookup/m-p/78001#M19740 MuS 2014-09-05T13:19:30Z