Getting Data In

I want source type separation using prop.conf.

noott211
Path Finder

index name = my_index
source name = my_source
sourcetype = my_sourcetpye
host = 192.168.0.10

-----------------------------
The field action is =allow -> my_allow.
Action = deny -> my_deny
other -> my_myontype
I want to change it to this.

help me

Labels (3)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

If I understood right your request you could do it with props.conf and transforms.conf (you need both). Look e.g. CLONE_SOURCETYPE for that. If there are lot of those values then it could be hard to manage all those versions.

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

In splunk concept sourcetype means lexical format of log event/source. Based on that it's not a good practice to name sourcetype by value of field (if I understood right what you are asking?). Instead of sourcetype you should use eventtype to separate those events inside sourcetype.

r. Ismo

0 Karma

noott211
Path Finder

I want to separate data whenever it comes in. Can similar effects be achieved using prop.conf or transaction.conf?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

If I understood right your request you could do it with props.conf and transforms.conf (you need both). Look e.g. CLONE_SOURCETYPE for that. If there are lot of those values then it could be hard to manage all those versions.

0 Karma
Get Updates on the Splunk Community!

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options A recent Tech Talk, ...

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...