How to differentiate different sourcetypes when in...

Skins · ‎06-24-2019

I have some blob storage and in there are different files that I need to ingest and apply different source types to.

eg.
some are error.log files
some are web access logs
some are other logs

How do I do this ?

Gratzi.

Azeemering · ‎07-03-2019

Yes, I would use regex in props and transform to split up in specific sourcetypes in this case. Unless there is a better way indeed...

Skins · ‎07-17-2019

OK i went with creating several inputs but use the 'blob list' section to only ingest that log :

Input1:
Bloblist = filetypeA.logs
sourcetype = mscs:storage:blob:fileA

Input2:
Bloblist = filetypeB.logs
sourcetype = mscs:storage:blob:fileB

and so on ..

Skins · ‎06-25-2019

hi ..thanks.

I only have one container with all my logs in .

The only thing i can think of is sourcetype overrides - so i label my input with : mscs:storage:blob:logs

And then identify each sourcetype (as each log has a different name convention) using regex and sourcetype overrides on the HF where the MSCS app is installed.

Unless there is a better way?

gratzi

Azeemering · ‎06-25-2019

Hi,

I'm also playing around with this.
In the Splunk_TA_microsoft-cloudservices/inputs I have created different inputs for each container name.
Each Container Name gets an own sourcetype.

How to differentiate different sourcetypes when ingesting from blob storage?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio