We have around 15 files we're ingesting into Splunk all of them have the same format:
We would like to change the sourcetype of the names as they come in. So sourectype should automatically set to:
Can this be done dynamically via inputs.conf? Or does this need to happen in props/transforms.conf? What would my regex look like? All help is appreciated...
To do this dynamically you would use props.confs and transforms.conf using the following code:
TRANSFORMS-change_sourcetype = change_sourcetype
EDIT: Please excuse the below formatting; I couldn't get the line breaks to work.
REGEX = (?U)\/\/logs\/\S+\/(\S+)\/
FORMAT = sourcetype::$1
DEST_KEY = MetaData:Sourcetype
Splunk will need to be restarted for the changes to take affect.
I've not tested it but it should work. Let me know if you have any issues.
Also, if they all have the same format then I'd recommend that they all share the same sourcetype. Have you considered using a different field? This would be done using a search time extraction.
I forgot to state that these files sit on a rsyslog server (with a forwarder installed) and we ingest them in via inputs.conf. Will the props and transforms need to be on my indexers? I appreciate your response.
Apologies, this was left over from my original conf file. I have corrected the original post.
$1 (the correct value) references the first capture group of the regex.
(?U)\/\S+\/\S+\/(?<sourcetype>.+)\/ should work.
I noticed that your regex101 was set to python. Splunk uses pcre regex for extractions.
I have missed
SOURCE_KEY=source from the transforms.conf in my original answer which has now been updated.