Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to override Splunk renaming sourcetypes xxx-1 if field name header encountered?

Glenn
Builder
‎03-18-2010 11:43 AM

This is related to an earlier question: http://answers.splunk.com/questions/490/why-do-variations-in-sourcetype-appear

This question is slightly different however, as the issue is not present in IIS logs, but in an external CSV report we monitor that contains a header of field names.

I need to have all my sourcetypes set the same so they do not have to be referenced as "ORAExtendedOrderHistory*". From what I understood from that previous question, it renames the sourcetype because it is trying to store the field names from the header, but when I look at the list of available fields, these are not available in the list anyway. Unless I misunderstood the point of this functionality, it looks like its not working for me, so I'd like to override it.

Source log /opt/oracle/admin/reports/ExtendedOrderHistoryCacti_SUNDAY.csv:

field1, field2, field3, field4, field5, field6, field7,field8,field9, field10, field11, field12,
field13,field14, field15, field16
13-MAR-2010 23:59,WEB,OS,0,2,0,2,43,42,43,23,22,23,20,20,20,14-MAR-10,13-MAR-10,14-MAR-10
14-MAR-2010 00:00,WEB,OS,1,1,0,2,69,47,91,29,27,30,41,17,64,14-MAR-10,14-MAR-10,14-MAR-10
...

Monitors in inputs.conf:

[monitor:///opt/oracle/admin/reports/ExtendedOrderHistoryCacti_MONDAY.csv]
sourcetype = ORAExtendedOrderHistory
disabled = false

[monitor:///opt/oracle/admin/reports/ExtendedOrderHistoryCacti_TUESDAY.csv]
sourcetype = ORAExtendedOrderHistory
disabled = false

[monitor:///opt/oracle/admin/reports/ExtendedOrderHistoryCacti_WEDNESDAY.csv]
sourcetype = ORAExtendedOrderHistory
disabled = false

[monitor:///opt/oracle/admin/reports/ExtendedOrderHistoryCacti_THURSDAY.csv]
sourcetype = ORAExtendedOrderHistory
disabled = false

[monitor:///opt/oracle/admin/reports/ExtendedOrderHistoryCacti_FRIDAY.csv]
sourcetype = ORAExtendedOrderHistory
disabled = false

[monitor:///opt/oracle/admin/reports/ExtendedOrderHistoryCacti_SATURDAY.csv]
sourcetype = ORAExtendedOrderHistory
disabled = false

[monitor:///opt/oracle/admin/reports/ExtendedOrderHistoryCacti_SUNDAY.csv]
sourcetype = ORAExtendedOrderHistory
disabled = false
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 12:17 AM

It is doing this because there is a built-in rule that takes any file name ending in .csv and forces the header check and sourcetype generation. You can override this by putting this in props.conf:

[source::.../ExtendedOrderHistory*.csv]
sourcetype = ORAExtendedOrderHistory
priority = 101

or some other appropriate source pattern. You can repeat this multiple times for multiple source patterns if needed.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 12:17 AM

It is doing this because there is a built-in rule that takes any file name ending in .csv and forces the header check and sourcetype generation. You can override this by putting this in props.conf:

[source::.../ExtendedOrderHistory*.csv]
sourcetype = ORAExtendedOrderHistory
priority = 101

or some other appropriate source pattern. You can repeat this multiple times for multiple source patterns if needed.

Reply
Solved! Jump to solution

Glenn
Builder
‎03-22-2010 05:10 PM

Yup, that's done it thanks.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 06:36 PM

This needs to be set on the forwarder actually, not the indexer. It's one of the few props.conf settings that happens on the input side before parsing. See: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F

0 Karma
Reply
Solved! Jump to solution

Glenn
Builder
‎03-19-2010 03:29 PM

I added the following to props.conf on my indexer:
[source::.../OrderHistoryCacti_*.csv]
sourcetype = ORAOrderHistory
priority = 101

[source::.../ExtendedOrderHistoryCacti_*.csv]
sourcetype = ORAExtendedOrderHistory
priority = 102

After running "| extract reload=T" on my indexer, I am still seeing the sourcetypes as "ORAExtendedOrderHistory-7" as they were before the change. Should I expect the change to be reflected immediately? Or will it only happen once the file rolls and Splunk encounters a new one?

0 Karma
Reply
Solved! Jump to solution

BunnyHop
Contributor
‎03-18-2010 04:51 PM

when you see the sourcetype as xxxxxx-1 Splunk tries to learn the data. For some reason, it doesn't know how to handle the csv files correctly.

I had to convert mine to a txt file for it to be considered into the sourcetype that I specified.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...