Solved: Extracting sourcetype from source /tmp/csv/file1

hylam · ‎10-24-2015

The sourcetype should be csv or tsv or psv, depending on the full path in the source field. For hosts we have host_regex and host_segment. Do we have sourcetype_regex or sourcetype_segment? Thx.

/tmp/csv/file1
/tmp/csv/file2
/tmp/tsv/file3
/tmp/tsv/file4
/tmp/psv/file5
/tmp/psv/file6

esix_splunk · ‎10-24-2015

We dont have this ability now in Splunk. However, you can further filter the sourcetype by source via transforms and searching a regex against the meta data. This article has a good example -

https://answers.splunk.com/answers/112471/changing-sourcetype-with-regex.html

View solution in original post

esix_splunk · ‎10-24-2015

We dont have this ability now in Splunk. However, you can further filter the sourcetype by source via transforms and searching a regex against the meta data. This article has a good example -

https://answers.splunk.com/answers/112471/changing-sourcetype-with-regex.html

Extracting sourcetype from source /tmp/csv/file1

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation