Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

dynamic sourcetypes - can splunk do this? (and I'll be impressed if it can)

a212830
Champion
‎02-06-2015 06:11 AM

Hi,

I have a request to monitor a directory, with dynamic logfiles. Sometimes they are there, sometimes the customer will create new ones.... They have validated that the logfiles all follow the same format. Is it possible for splunk to create a sourcetype based upon the name of the file? They all follow the format SERVICE_PID.log. I could create one based upon the directory name, but they would rather use separate sourcetypes, if possible, for easier analysis and reporting.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎02-06-2015 06:15 AM

Hi a212830,

Yes it can 😉 You will need to specify this in your props/transforms files any where parsing/indexing is being performed.

props.conf 

[source::...regex_to_match_filename] 
TRANSFORMS-fs = force-sourcetype-st

transforms.conf 

[force-sourcetype-st] 
DEST_KEY = MetaData::Sourcetype 
SOURCE_KEY = MetaData::Source 
REGEX = YOUR_REGEX_TO_PULL_THE_FILENAME 
FORMAT = sourcetype::$1 
WRITE_META = true

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

thomrs
Communicator
‎02-06-2015 06:18 AM

Source type is set at index time so do not think this is possible. I had a similar issue and I used the same source type for everything but added a new filed based on the file source called 'logname'. This is a search time approach and has been working fine.

You could use a transform at index time to add the 'logname' as metadata if needed.

0 Karma
Reply
Solved! Jump to solution

thomrs
Communicator
‎02-06-2015 09:17 AM

I was wrong you can do this with an index time transform. I always stay away from doing that, i never want to change the raw data,

http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎02-06-2015 11:30 AM

Good one! Knowing his weakness, is a way to strength .... or something like that ..... Yoda would said have 🙂

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎02-06-2015 06:15 AM

Hi a212830,

Yes it can 😉 You will need to specify this in your props/transforms files any where parsing/indexing is being performed.

props.conf 

[source::...regex_to_match_filename] 
TRANSFORMS-fs = force-sourcetype-st

transforms.conf 

[force-sourcetype-st] 
DEST_KEY = MetaData::Sourcetype 
SOURCE_KEY = MetaData::Source 
REGEX = YOUR_REGEX_TO_PULL_THE_FILENAME 
FORMAT = sourcetype::$1 
WRITE_META = true

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

a212830
Champion
‎02-06-2015 08:34 AM

Good stuff, both useful. I'll try them out.

0 Karma
Reply
Get Updates on the Splunk Community!

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...