Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to create multiple source types from a sin...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am ingesting 1 file that has multiple server IP addresses. I need to source type each server based on the IP address. I have tried using the props.conf and transforms.conf with no luck. Any help would be much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We would need some sample events and your current props.conf/transforms.conf. Meanwhile, check if something like this works for you.
#Inputs.conf on forwarder
[monitor://<<path of file>]
index = ..
sourcetype = some_default_sourcetype
#props.conf on Indexers/Heavy Forwarder
[some_default_sourcetype]
...event parsing stuffs..
TRANSFORMS-overridest = change_st_by_IP1,change_st_by_IP2,change_st_by_IP3,....
#transforms.conf on Indexers/Heavy Forwarder. Replace IPs with your exact values)
[change_st_by_IP1]
REGEX = (10\.11\.12\.13)
FORMAT = sourcetype::yourNewSourceType1
DEST_KEY = MetaData:Sourcetype
[change_st_by_IP2]
REGEX = (20\.21\.22\.23)
FORMAT = sourcetype::yourNewSourceType2
DEST_KEY = MetaData:Sourcetype
..
similar stanza for other IPs...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We would need some sample events and your current props.conf/transforms.conf. Meanwhile, check if something like this works for you.
#Inputs.conf on forwarder
[monitor://<<path of file>]
index = ..
sourcetype = some_default_sourcetype
#props.conf on Indexers/Heavy Forwarder
[some_default_sourcetype]
...event parsing stuffs..
TRANSFORMS-overridest = change_st_by_IP1,change_st_by_IP2,change_st_by_IP3,....
#transforms.conf on Indexers/Heavy Forwarder. Replace IPs with your exact values)
[change_st_by_IP1]
REGEX = (10\.11\.12\.13)
FORMAT = sourcetype::yourNewSourceType1
DEST_KEY = MetaData:Sourcetype
[change_st_by_IP2]
REGEX = (20\.21\.22\.23)
FORMAT = sourcetype::yourNewSourceType2
DEST_KEY = MetaData:Sourcetype
..
similar stanza for other IPs...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a question here, can we use different index for each sourcetype in these conf files?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did exactly what I was trying to accomplish. Thanks so much for the fast response.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an additional question. I need to do the same thing with a string that I am doing with an IP address. Whats the correct way to do this. How do I set up the REGEX for a string?
transforms.comf
[change_st_by_IP9]
REGEX = Plinapp748
FORMAT = sourcetype::McAfee_ePO
DEST_KEY = MetaData:Sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's the same way as IP. IP has a special character dot so I had to escape it. If your string just has alphanumeric values, just specify them as it is in REGEX.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much for the help. Worked like a charm.
Index This | How many sevens are there between 1 and 100?
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
What Is Splunk? Here’s What You Can Do with Splunk
