All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to differentiate different sourcetypes when ingesting from blob storage?

Skins
Path Finder
‎06-24-2019 07:24 PM

I have some blob storage and in there are different files that I need to ingest and apply different source types to.

eg.
some are error.log files
some are web access logs
some are other logs

How do I do this ?

Gratzi.

0 Karma
Reply

Azeemering
Builder
‎07-03-2019 11:44 PM

Yes, I would use regex in props and transform to split up in specific sourcetypes in this case. Unless there is a better way indeed...

0 Karma
Reply

Skins
Path Finder
‎07-17-2019 03:05 AM

OK i went with creating several inputs but use the 'blob list' section to only ingest that log :

Input1:
Bloblist = filetypeA.logs
sourcetype = mscs:storage:blob:fileA

Input2:
Bloblist = filetypeB.logs
sourcetype = mscs:storage:blob:fileB

and so on ..

Reply

Skins
Path Finder
‎06-25-2019 08:36 PM

hi ..thanks.

I only have one container with all my logs in .

The only thing i can think of is sourcetype overrides - so i label my input with : mscs:storage:blob:logs

And then identify each sourcetype (as each log has a different name convention) using regex and sourcetype overrides on the HF where the MSCS app is installed.

Unless there is a better way?

gratzi

0 Karma
Reply

Azeemering
Builder
‎06-25-2019 06:26 AM

Hi,

I'm also playing around with this.
In the Splunk_TA_microsoft-cloudservices/inputs I have created different inputs for each container name.
Each Container Name gets an own sourcetype.
alt text

Preview file
55 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...