Solved: Extracting sourcetype from source /tmp/csv/file1

hylam · ‎10-24-2015

The sourcetype should be csv or tsv or psv, depending on the full path in the source field. For hosts we have host_regex and host_segment. Do we have sourcetype_regex or sourcetype_segment? Thx.

/tmp/csv/file1
/tmp/csv/file2
/tmp/tsv/file3
/tmp/tsv/file4
/tmp/psv/file5
/tmp/psv/file6

esix_splunk · ‎10-24-2015

We dont have this ability now in Splunk. However, you can further filter the sourcetype by source via transforms and searching a regex against the meta data. This article has a good example -

https://answers.splunk.com/answers/112471/changing-sourcetype-with-regex.html

View solution in original post

esix_splunk · ‎10-24-2015

We dont have this ability now in Splunk. However, you can further filter the sourcetype by source via transforms and searching a regex against the meta data. This article has a good example -

https://answers.splunk.com/answers/112471/changing-sourcetype-with-regex.html

Extracting sourcetype from source /tmp/csv/file1

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation