In the below stanzas , both are having same source-type names, how the priority will be in assigning sourcetype?
Has anybody used rule based sourcetype, any example will be more useful.
in the beloe case "MORE_THAN_75"
means no. of events ?
Normal sourcetype : access_combined
[access_combined]
pulldown_type = true
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
Rule Based Sourcetype : access_combined
[rule::access_combined]
sourcetype = access_combined
MORE_THAN_75 = ^\S+ \S+ \S+ \S* ?\[[^\]]+\] "[^"]*" \S+ \S+ \S+ "[^"]*"$
Hi splunker12er,
the docs provide nice examples http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Configurerule-basedsourcetyperecognition#Exam... about rule based sourcetype assignment.
Related to your example this means, if 75% or more of the input lines match the regex, then this sourcetype will be used.
Cheers, MuS