Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Alternative ways to assigning sourcetype?

dleung
Splunk Employee
Splunk Employee
‎09-08-2010 06:06 PM

I am checking out a sample application where an eventtype's search contains "sourcetype=..." . I having difficulty determining where this particular sourcetype gets assigned.

I would typically look for an entry in inputs.conf that may explicitly set the sourcetype for a given input, however, there is no inputs.conf

I do notice within props.conf there's a stanza for the sourcetype's field extractions. Does a stanza within props.conf implicitly declare and define the sourcetype?

For the following example, does the applicability to the REPORT clause associate the event to the sourcetype?

This is a working solution and I am interested in trying to understand how this works rather than alternative modifications.

(I've included sample as well as actual declarations)

=====================
eventtypes.conf
=====================
[eventtype_foo]
search = sourcetype=bar

[asa-authentication-failure]
search = sourcetype=cisco_asa "Message-Type=Authen failed"


=====================
props.conf
=====================
[bar]
REPORT-bar = bar-eventinfo

[cisco_asa]
REPORT-asa = ciscosyslog-eventinfo

=====================
transforms.conf
=====================
[bar-eventinfo]
REGEX = ^foobar-(\w+)-$
FORMAT = foobar_type::$1

[ciscosyslog-eventinfo]
REGEX = [^%]+%(\w+)-(\d)-(\d+):\s+.*
FORMAT = dvc_type::$1 log_level::$2 signature_id::$3

Thanks, Danny

Reply
2 Solutions
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-08-2010 06:24 PM

Sourcetypes may be set at index time via:

  • setting it in inputs.conf (on the machine where the input is configured)
  • setting it in a matching stanza in props.conf (only on the machine where the input is configred)
  • setting it via an index-time TRANSFORM in props.conf and transforms.conf (on the machine where the parse queue executes, which is either the heavy forwarder if one is used, or the indexer)
  • auto-generation if it's unspecified otherwise or if CHECK_FOR_HEADER tells it to use CSV headers and assign a new generated sourcetype.

A sourcetype can also be overridden in search-time configurations with the rename setting in props.conf, or with REPORT/EXTRACT extractions (all on the search head).

View solution in original post

Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎09-08-2010 06:26 PM

Do you have a cisco app installed?

In general, a sourcetype can be determined by setting up a source pattern that sets the sourcetype. in props.conf. Or it can be set explicitly by inputs.conf. There are a few other methods, like [rule::...] and [delayedrule::...] and if all else fails then splunk will assign a new sourcetype which will often be the some portion of the source name; in which case you will find entries about it in your "learned" app in the sourcetypes.conf file.

View solution in original post

Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎09-11-2010 05:33 AM

Hi Danny,

To address some of your questions directly...

"Does a stanza within props.conf implicitly declare and define the sourcetype?"
--> The answer is No. Just because a sourcetype is referenced by a stanza in props.conf, this does not automatically create the sourcetype and associate it with any events.

"For the following example, does the applicability to the REPORT clause associate the event to the sourcetype?"
--> The answer is also No. REPORT signifies a search-time operation, and also does not create or associate anything to the sourcetype simply because it is referenced.

Are you looking at the Splunk for Cisco Security App? The cisco_asa sourcetype seems to be referenced in a number of places in the conf files, but I don't see that any events are ever assigned to this sourcetype. There are some rules that reference it, but I don't believe any of the rules ever take effect since no events actually get sourcetyped as cisco_asa. Even the sample cisco_asa.log gets sourcetypes as cisco_firewall. Admittedly, this is confusing.

The answer provided by gkanapathy covers all the cases for setting and manipulating sourcetype.

Reply
Solved! Jump to solution

dleung
Splunk Employee
Splunk Employee
‎09-14-2010 07:54 PM

hulahoop,

The information shown is actually from the SKB-Cisco module included in ESS. The extractions are very similar to the cisco firewall addon module. I did a little further digging and found there were some sourcetypes set via an index-time TRANSFORM in props.conf and transforms.conf. Thanks to gkanapathy for pointing that out 🙂 Additionally, I followed-up with the developer and found that there would also be some manual setting of sourcetypes at the configuration of the data inputs. Thanks for the detailed help and explanation.

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎09-08-2010 06:26 PM

Do you have a cisco app installed?

In general, a sourcetype can be determined by setting up a source pattern that sets the sourcetype. in props.conf. Or it can be set explicitly by inputs.conf. There are a few other methods, like [rule::...] and [delayedrule::...] and if all else fails then splunk will assign a new sourcetype which will often be the some portion of the source name; in which case you will find entries about it in your "learned" app in the sourcetypes.conf file.

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-08-2010 06:24 PM

Sourcetypes may be set at index time via:

  • setting it in inputs.conf (on the machine where the input is configured)
  • setting it in a matching stanza in props.conf (only on the machine where the input is configred)
  • setting it via an index-time TRANSFORM in props.conf and transforms.conf (on the machine where the parse queue executes, which is either the heavy forwarder if one is used, or the indexer)
  • auto-generation if it's unspecified otherwise or if CHECK_FOR_HEADER tells it to use CSV headers and assign a new generated sourcetype.

A sourcetype can also be overridden in search-time configurations with the rename setting in props.conf, or with REPORT/EXTRACT extractions (all on the search head).

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...