How to differentiate different sourcetypes when in...

Skins · ‎06-24-2019

I have some blob storage and in there are different files that I need to ingest and apply different source types to.

eg.
some are error.log files
some are web access logs
some are other logs

How do I do this ?

Gratzi.

Azeemering · ‎07-03-2019

Yes, I would use regex in props and transform to split up in specific sourcetypes in this case. Unless there is a better way indeed...

Skins · ‎07-17-2019

OK i went with creating several inputs but use the 'blob list' section to only ingest that log :

Input1:
Bloblist = filetypeA.logs
sourcetype = mscs:storage:blob:fileA

Input2:
Bloblist = filetypeB.logs
sourcetype = mscs:storage:blob:fileB

and so on ..

Skins · ‎06-25-2019

hi ..thanks.

I only have one container with all my logs in .

The only thing i can think of is sourcetype overrides - so i label my input with : mscs:storage:blob:logs

And then identify each sourcetype (as each log has a different name convention) using regex and sourcetype overrides on the HF where the MSCS app is installed.

Unless there is a better way?

gratzi

Azeemering · ‎06-25-2019

Hi,

I'm also playing around with this.
In the Splunk_TA_microsoft-cloudservices/inputs I have created different inputs for each container name.
Each Container Name gets an own sourcetype.

How to differentiate different sourcetypes when ingesting from blob storage?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation