Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I get multiple sourcetypes from one source?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I get multiple sourcetypes from one source?
I have one file that I need to pull two sourcetypes from. Here are the details:
i created two independent inputs.conf files.
inputs.conf
[monitor:///var/log/audit/audit.log]
index=sample
sourcetype=sample1
inputs.conf
[monitor:///var/log/audit/audit.log]
index=sample
sourcetype=sample2
My serverclass.conf file is set up with two stanzas:
[serverClass:sample1]
whitelist.0 = /var/opt/specific/to/sample1*
machineTypesFilter = linux*
restartSplunkd = true
[serverClass:sample1:app:sample1]
[serverClass:sample2]
whitelist.0 = /var/opt/specific/to/sample2*
machineTypesFilter = linux*
restartSplunkd = true
[serverClass:sample2:app:sample2]
I am using the whitelist to identify key information within the log. The data is coming through with both whitelist details, but it is defaulting to only one sourcetype. My whitelist also contains host information which is also shared. The only thing that separates the sourcetypes is the /var/opt/specific/to/sample* details. I don't think host details matter, so I left these details in. Do I need to add an AND statement in there?
[serverClass:sample1]
whitelist.0 = /var/opt/specific/to/sample1* AND
whitelist.1 = host
machineTypesFilter = linux*
restartSplunkd = true
[serverClass:sample1:app:sample1]
Or is there something else that i should consider?
Thanks, Jennifer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Serverclass.conf is used for your deployment server. This will not filter your inputs based on the file or event code. The whitelist / blacklist function in serverclass.conf is for host filtering.
You need to create two serverclasses; e.g., Sourcetype1 and Sourcetype2
In the whitelist for each of those, enter the hostname..
[serverClass:sample1]
whitelist.0 = myhostforsourcetype1.mydomain.com
machineTypesFilter = linux*
restartSplunkd = true
[serverClass:sample1:app:sample1]
[serverClass:sample2]
whitelist.0 = myhostforsourcetype2.mydomain.com
machineTypesFilter = linux*
restartSplunkd = true
[serverClass:sample2:app:sample2]
In those apps, you define the specific input and sourcetypes as you have done for the inputs.conf.
Refer to documentation for this here: http://docs.splunk.com/Documentation/Splunk/6.2.2/Updating/Useserverclass.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the information. If i am reading this correctly, I need to add the host details in to decipher the difference between the logs? The host details and the source are the same in both instances. It is only the log content that makes it different.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding a wildcard to see if it will work.
whitelist.0 = ***/var/opt/specific/to/sample2
App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community
Operationalizing Entity Risk Score with Enterprise Security 8.3+
Unlock Database Monitoring with Splunk Observability Cloud
