All Apps and Add-ons

How to differentiate different sourcetypes when ingesting from blob storage?

Path Finder

I have some blob storage and in there are different files that I need to ingest and apply different source types to.

some are error.log files
some are web access logs
some are other logs

How do I do this ?


0 Karma


Yes, I would use regex in props and transform to split up in specific sourcetypes in this case. Unless there is a better way indeed...

0 Karma

Path Finder

OK i went with creating several inputs but use the 'blob list' section to only ingest that log :

Bloblist = filetypeA.logs
sourcetype = mscs:storage:blob:fileA

Bloblist = filetypeB.logs
sourcetype = mscs:storage:blob:fileB

and so on ..

Path Finder

hi ..thanks.

I only have one container with all my logs in .

The only thing i can think of is sourcetype overrides - so i label my input with : mscs:storage:blob:logs

And then identify each sourcetype (as each log has a different name convention) using regex and sourcetype overrides on the HF where the MSCS app is installed.

Unless there is a better way?


0 Karma



I'm also playing around with this.
In the Splunk_TA_microsoft-cloudservices/inputs I have created different inputs for each container name.
Each Container Name gets an own sourcetype.
alt text

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...