Solved: I want source type separation using prop.conf.

noott211 · ‎12-27-2021

index name = my_index
source name = my_source
sourcetype = my_sourcetpye
host = 192.168.0.10

-----------------------------
The field action is =allow -> my_allow.
Action = deny -> my_deny
other -> my_myontype
I want to change it to this.

help me

isoutamo · ‎12-28-2021

If I understood right your request you could do it with props.conf and transforms.conf (you need both). Look e.g. CLONE_SOURCETYPE for that. If there are lot of those values then it could be hard to manage all those versions.

View solution in original post

isoutamo · ‎12-28-2021

Hi

In splunk concept sourcetype means lexical format of log event/source. Based on that it's not a good practice to name sourcetype by value of field (if I understood right what you are asking?). Instead of sourcetype you should use eventtype to separate those events inside sourcetype.

r. Ismo

noott211 · ‎12-28-2021

I want to separate data whenever it comes in. Can similar effects be achieved using prop.conf or transaction.conf?

isoutamo · ‎12-28-2021

If I understood right your request you could do it with props.conf and transforms.conf (you need both). Look e.g. CLONE_SOURCETYPE for that. If there are lot of those values then it could be hard to manage all those versions.

I want source type separation using prop.conf.

props.conf

sourcetype

transforms.conf

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?