How can I define new sourcetypes for one single TC...

jimnol · ‎10-30-2015

Hello,

I'm trying to implement Splunk on a really big project.
My team and I already used a LogLogic solution and want to go through a Splunk's one.

The problem is that all the logs of this network (decades Active Directory areas) are currently relayed to the LogLogic SIEM and then to my Splunk Indexer over TCP.
That's means that I can configure only one TCP input on my indexer.

Question is : How can I tell Splunk to define new sourcetypes based on differents events indexed such "This is a Windows Log" or "That is an Arkoon log" etc ... ?

Should I use a Splunk Forwarder to parse data upstream or anything else ?

Thank you in advance for your replies !

PS : Sorry for my English I'm a French student ^^

woodcock · ‎10-30-2015

It is all documented clearly here:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

aholzer · ‎10-30-2015

You can do this with props.conf and transforms.conf.

Your transforms would look something like this:

[force_sourcetype_x]
#regex that matches events that you want to label as sourcetype x
REGEX = sourcetype_x
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::x

Hope this helps

jimnol · ‎10-30-2015

I'll try it next week Splunk's VM is down actually.

Thank you !

How can I define new sourcetypes for one single TCP input ?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms