Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Hunk - assigning sourcetype

jwalzerpitt
Influencer
‎11-26-2014 07:56 AM

I create two virtual indexes within Hunk that reads from two separate HDFS directory. One is for Cisco ASA logs, and the other is for IIS logs. Each HDFS directory contains a bunch of *.log files. Clicking on 'search' for either index starts to index/read all of the log files, but the sourcetype is set wrong for both indexes.

How do I assign the correct sourcetype to each index?

Thx

Tags (3)
0 Karma
Reply

jwalzerpitt
Influencer
‎12-01-2014 01:08 PM

That worked. Just had to change the search to:

index="web_logs" source="/logs/web/ex140401.log"

Once I did that, I got an "Interesting Fields" list, with the parsed out fields.

So that applies to searching individual log files (basically using 'Exploring Data'). How do I apply the new manual-iis to all IIS log files when I go in to search the entire virtual index? When I click 'search' there, the files aren't being parsed per the IIS sourcetype.

Thx

0 Karma
Reply

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎12-01-2014 01:24 PM

Great! Now, simply replace the single source stanza with the following in order to apply the "new-iis" sourcetype to all the files under /logs/web/

   /opt/hunk/etc/apps/search/local/props.conf
   [source::/logs/web/...]
   sourcetype = new-iis
   priority = 10
Reply

jwalzerpitt
Influencer
‎12-01-2014 01:38 PM

Awesome!! That worked...

Now the last issue I'm wrestling with is that the ASA logs are not being properly identified even when I select cisco : asa as the sourcetype. Here's a sample ASA log:

Apr 10 06:29:58 1.1.1.1 %ASA-7-106100: access-list np-itf15-FW-RULE-1 permitted udp FW-RULE-2/2.2.2.2(615) -> FW-RULE-3/3.3.3.3(111) hit-cnt 1 first hit [0x7eb55e24, 0xc85ef7a5]

Switching between cisco : asa and System Defaults doesn't make a difference.

Do I need to build a custom Cisco ASA in props and transform.conf for Cisco ASA like IIS?

0 Karma
Reply

jwalzerpitt
Influencer
‎11-26-2014 12:58 PM

Thx - let me add and test again

0 Karma
Reply

jwalzerpitt
Influencer
‎11-26-2014 08:37 AM

After some additional review, for the IIS logs I see they're being tagged as a sourcetype of IIS, but they're not being parsed correctly. Any ideas on how to troubleshoot that issue?

The Cisco ASA logs aren't being identified as the correct sourcetype at all.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...