Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create multiple source types from a single log file?

acsanders
New Member
‎04-17-2017 07:44 AM

I am ingesting 1 file that has multiple server IP addresses. I need to source type each server based on the IP address. I have tried using the props.conf and transforms.conf with no luck. Any help would be much appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-17-2017 09:12 AM

We would need some sample events and your current props.conf/transforms.conf. Meanwhile, check if something like this works for you.

#Inputs.conf on forwarder
[monitor://<<path of file>]
index = ..
sourcetype = some_default_sourcetype

#props.conf on Indexers/Heavy Forwarder
[some_default_sourcetype]
...event parsing stuffs..
TRANSFORMS-overridest = change_st_by_IP1,change_st_by_IP2,change_st_by_IP3,....

#transforms.conf on Indexers/Heavy Forwarder. Replace IPs with your exact values)
[change_st_by_IP1]
REGEX = (10\.11\.12\.13)
FORMAT = sourcetype::yourNewSourceType1
DEST_KEY = MetaData:Sourcetype

[change_st_by_IP2]
REGEX = (20\.21\.22\.23)
FORMAT = sourcetype::yourNewSourceType2
DEST_KEY = MetaData:Sourcetype

..
similar stanza for other IPs...

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-17-2017 09:12 AM

We would need some sample events and your current props.conf/transforms.conf. Meanwhile, check if something like this works for you.

#Inputs.conf on forwarder
[monitor://<<path of file>]
index = ..
sourcetype = some_default_sourcetype

#props.conf on Indexers/Heavy Forwarder
[some_default_sourcetype]
...event parsing stuffs..
TRANSFORMS-overridest = change_st_by_IP1,change_st_by_IP2,change_st_by_IP3,....

#transforms.conf on Indexers/Heavy Forwarder. Replace IPs with your exact values)
[change_st_by_IP1]
REGEX = (10\.11\.12\.13)
FORMAT = sourcetype::yourNewSourceType1
DEST_KEY = MetaData:Sourcetype

[change_st_by_IP2]
REGEX = (20\.21\.22\.23)
FORMAT = sourcetype::yourNewSourceType2
DEST_KEY = MetaData:Sourcetype

..
similar stanza for other IPs...
Reply
Solved! Jump to solution

vanheer
Explorer
‎08-19-2022 11:29 AM

Hi,

I have a question here, can we use different index for each sourcetype in these conf files?

 

Tags (3)
0 Karma
Reply
Solved! Jump to solution

acsanders
New Member
‎04-17-2017 12:25 PM

That did exactly what I was trying to accomplish. Thanks so much for the fast response.

0 Karma
Reply
Solved! Jump to solution

acsanders
New Member
‎04-18-2017 05:10 AM

I have an additional question. I need to do the same thing with a string that I am doing with an IP address. Whats the correct way to do this. How do I set up the REGEX for a string?

transforms.comf
[change_st_by_IP9]
REGEX = Plinapp748

FORMAT = sourcetype::McAfee_ePO
DEST_KEY = MetaData:Sourcetype

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-18-2017 07:49 AM

It's the same way as IP. IP has a special character dot so I had to escape it. If your string just has alphanumeric values, just specify them as it is in REGEX.

0 Karma
Reply
Solved! Jump to solution

acsanders
New Member
‎04-18-2017 09:30 AM

Thanks so much for the help. Worked like a charm.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...