Getting Data In

I want source type separation using prop.conf.

noott211
Path Finder

index name = my_index
source name = my_source
sourcetype = my_sourcetpye
host = 192.168.0.10

-----------------------------
The field action is =allow -> my_allow.
Action = deny -> my_deny
other -> my_myontype
I want to change it to this.

help me

Labels (3)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

If I understood right your request you could do it with props.conf and transforms.conf (you need both). Look e.g. CLONE_SOURCETYPE for that. If there are lot of those values then it could be hard to manage all those versions.

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

In splunk concept sourcetype means lexical format of log event/source. Based on that it's not a good practice to name sourcetype by value of field (if I understood right what you are asking?). Instead of sourcetype you should use eventtype to separate those events inside sourcetype.

r. Ismo

0 Karma

noott211
Path Finder

I want to separate data whenever it comes in. Can similar effects be achieved using prop.conf or transaction.conf?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

If I understood right your request you could do it with props.conf and transforms.conf (you need both). Look e.g. CLONE_SOURCETYPE for that. If there are lot of those values then it could be hard to manage all those versions.

0 Karma
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...