Solved: How do i make stored logs be parsed according to a...

mkudejim · ‎07-25-2016

I have a logs stored in splunk and they are of sourcetype=test, but I recently found this app that parses these type of logs but it needs a different sourcetype (sourcetype=good_type) to parse them. I tried sourcetype renaming but it only changed the name of the sourcetype but the logs did not get parsed by the app.

skoelpin · ‎07-25-2016

You will need to change the sourcetype on the host machine(s) where the forwarder is installed on. You will edit the inputs.conf and change the sourcetype there

What's the name of the app and which machine did you install the app on? I'm assuming you will need it installed on the indexer since that does the parsing..

View solution in original post

ddrillic · ‎07-25-2016

After setting the new sourcetype, I assume you want to re-index the data, right? It means running the soft delete using | delete for this data and clearing the caching in the fishbucket - definitely at the forwarder level but potentially also at the index level.

Then when re-indexing and having the modified inputs.conf, you should be fine.

skoelpin · ‎07-25-2016

You will need to change the sourcetype on the host machine(s) where the forwarder is installed on. You will edit the inputs.conf and change the sourcetype there

What's the name of the app and which machine did you install the app on? I'm assuming you will need it installed on the indexer since that does the parsing..

mkudejim · ‎07-25-2016

It's TA for Symantec Endpoint Protection (syslog), I installed the app on the search head and the forwarder, I would need to install it on the indexer right?

skoelpin · ‎07-25-2016

Are you using Universal Forwarders or a Heavy Forwarder?

Universal forwarders are unable to parse data, they can only forward data to the indexer which will then parse it. So for this app to work, it will need to be on the indexer and you will need to change your sourcetype name on the forwarder in the inputs.conf file.

So go onto one of your forwarders to test this and go to

Splunk/etc/system/local/inputs.conf and change your sourcetype

mkudejim · ‎07-25-2016

would I add a stanza like this one to inputs.conf to change the sourcetype?

[test]
rename=good_type

skoelpin · ‎07-25-2016

Your stanza in inputs.conf should look like this

Make sure to put in the hostname of the machine, the path you want to monitor, and the index you want this to go into.. Also make sure you restart the forwarder service after making these changes

[default]
host = SERVERNAME

[monitor://PATH_NAME]
disabled = false
sourcetype = good_type
index = YOUR INDEX

skoelpin · ‎07-26-2016

Were you able to get this going? If this helped then can you accept/like the answer

somesoni2 · ‎07-25-2016

You would need to update the inputs.conf using which the data is collected to change the sourcetype from test to good_type (recommended). In order for new sourcetype parsing to take place, it has to apply before it's indexed.

How do i make stored logs be parsed according to a diffrent sourcetype?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk