All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add a sourcetype from a Splunk Supported Add-On to the list of pretrained sourcetypes

lisaac
Path Finder
‎01-08-2017 02:21 PM

Splunk has a list of pretrained sourcetypes (http://docs.splunk.com/Documentation/Splunk/latest/Data/Listofpretrainedsourcetypes). I have installed a new Splunk Supported Add-on called the Splunk Add-on for Tomcat. I am using Splunk Enterprise version 6.5.1.

The list of pre-trained sourcetypes includes a sourcetype of catalina. The description for the sourcetype shows "Output produced by Apache Tomcat Catalina (System.out and System.err)"

The Splunk Add-On for Tomcat (http://docs.splunk.com/Documentation/AddOns/released/Tomcat/Sourcetypes) has the following sources identified as sourcetype tomcat:runtime:log:

Catalina.log, localhost.log, manager.log, host-manager.log

I have a file called /tmp/catalina.log, and I would like Splunk to automatically sourcetype the value as tomcat:runtime:log. In testing, I have a dev splunk instance with the Splunk Add-On for tomcat installed.

I have a monitor statement as follows for testing:

[monitor:///tmp/catalina3.log]
index = main

Attempts to auto learn the sourcetype to a value of tomcat:runtime:log fail. Splunk will always try and set the sourcetype to a value of catalina-#. A # shows the number as an incremental # assigned to the sourcetype. In tests, I used data sets with 200 lines or 2000 lines.

I supposed that I could setup a rule that would check the file name and classify accordingly, but I figured that a Splunk supported Add-On would update the list of pretrained sourcetypes.

Is this a feature add that splunk could add in the future? Is it possible to easily update the list of pretrained sourcetypes?

Reply

lisaac
Path Finder
‎01-08-2017 07:32 PM

That is a good question. The goal is to have Splunk "auto" discover a sourcetype based on a known list. The Splunk UI doesn't have this capability yet, so I have been trying to find methods for automation. I may have missed this in my first post, but I hope this update helps to solidify my first question.

I would like for Splunk to auto discover the sourcetype based on a known list. I can then setup a response to a customer or an admin, based on the results of a Splunk automated sourcetype recognition of a "monitor" input.

0 Karma
Reply

somesoni2
Revered Legend
‎01-08-2017 07:26 PM

Why not just specify the sourcetype that you want your file data to have in the inputs.conf itself?

[monitor:///tmp/catalina3.log]
index = main
sourcetype=tomcat:runtime:log
0 Karma
Reply
Get Updates on the Splunk Community!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...