In the below stanzas , both are having same source-type names, how the priority will be in assigning sourcetype?
Has anybody used rule based sourcetype, any example will be more useful.
in the beloe case "MORE_THAN_75" means no. of events ?
Normal sourcetype : access_combined
pulldown_type = true
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
Rule Based Sourcetype : access_combined
sourcetype = access_combined
MORE_THAN_75 = ^\S+ \S+ \S+ \S* ?\[[^\]]+\] "[^"]*" \S+ \S+ \S+ "[^"]*"$
the docs provide nice examples http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Configurerule-basedsourcetyperecognition#Exam... about rule based sourcetype assignment.
Related to your example this means, if 75% or more of the input lines match the regex, then this sourcetype will be used.