Archive
Highlighted

Splunk for Unix Sourcetypes for syslog

Builder

All,

I am looking at Splunk for Unix TA. I see the /var/log/messages input and for the life of me I can't find in this app where it's getting it's sourcetype of "syslog". Skimmed props.conf on the TA (why does the TA have a props?) and the splunkforunix_app too.

[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
index=os
disabled = 1
0 Karma
Highlighted

Re: Splunk for Unix Sourcetypes for syslog

Champion

Hi Daniel,
This page is listing all the source types from Splunk App for Unix -
http://docs.splunk.com/Documentation/UnixAddOn/5.2.3/User/SourcetypesandCIMdatamodelinfo

why does the TA have a props?
Splunk has config files for separately for "global and app/user contexts", so that maintenance would become easy and simple.
when the number of users and apps grow, these global and app/user contexts help in administration duties.

0 Karma
Highlighted

Re: Splunk for Unix Sourcetypes for syslog

Ultra Champion

syslog belongs to a set of predefined source types - What are the default sourcetypes and how are they determined?

The "official" documentation about them at Why source types matter