Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to modify the source field to match normal splunk file location

coleman07
Path Finder
‎02-04-2016 02:42 AM

We had to put the log files in the /san/splunk/var/log/splunk directory vs the /opt/splunk/var/log/splunk directory. Of course, I can modify apps that have hard coded the path to files in that directory. Is there a way to use props or transform on the indexer with the awkward path so the source will show up as /opt/splunk/var/log/splunk on the search head? That way, I don't have to modify the search in apps needing to find files in the /san/splunk/var/log/splunk directory.

0 Karma
Reply

somesoni2
Revered Legend
‎02-04-2016 12:41 PM

Try this in your Indexers and Heavy Forwarders and Search Heads (wherever you're collecting internal logs with this different path

props.conf 

[source::/san/splunk/var/log/splunk*]
TRANSFORMS-setsource = correct_source


transforms.conf

[correct_source]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Source
REGEX = \/san\/splunk(\/var\/log\/splunk.*)
FORMAT = source::/opt/splunk$1
Reply

landen99
Motivator
‎02-07-2016 09:53 AM

I think that this regex would only match sources that began with the parent directory /san/ . Perhaps the regex could be relaxed to only match on the capture group:

 [correct_source]
 SOURCE_KEY = MetaData:Source
 DEST_KEY = MetaData:Source
 REGEX = (\/var\/log\/splunk.*)
 FORMAT = source::$1
0 Karma
Reply

landen99
Motivator
‎02-04-2016 12:24 PM

You could hard code the source in your inputs.conf on your indexer or forwarder, http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/inputsconf

source= /opt/splunk/var/log/splunk/filename
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-04-2016 03:08 AM

Change your search to look for */splunk/var/log...

Or use sedcmd in props.conf on your sourcetype

 sedcmd-santoopt = "s/\/san/\/opt/g"

You can also use sed with the rex command in search:

 ... | rex mode=sed "s/\/san/\/opt/g" | ...
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...