Getting Data In

Inputs defined sourcetype overwrite a specific source using props and transforms

Path Finder

Hi ,
all my /var/log file are are input configured to redirect to sourcetype=unixlogs and now i would like to redirect all /var/log/smart* to different sourcetypes based on the folder structure its having.

 disabled = 0
sourcetype = unixlog`

`[ source::.../var/log/smart... ]
TRANSFORMS-setSourceType = smart_source`


     [ smart_source ]
     REGEX ="(\/var\/log\/)(?<![^\/\n])(\w..+)\/(\w..+)"
      DEST_KEY = MetaData:Sourcetype
    FORMAT = sourcetype::$1
    SOURCE_KEY = MetaData:Source

regx also not working

0 Karma

Revered Legend

If you're monitoring the path [monitor:///var/log], then to override sourcetype of all sources/files with path starting with /var/log/smart, try this on your indexer/heavy forwarder

Props (no spaces in stanza name)

TRANSFORMS-setSourceType = smart_source

Transforms:(no spaces in stanza name)

# Do not need doublequotes. Simple regex to capture folder name after /var/log
REGEX = \/var\/log\/([^\/\n]+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::$1
SOURCE_KEY = MetaData:Source
0 Karma

Path Finder

Do i need to get those props and transforms on indexers also ?

0 Karma

Revered Legend

If youre using a heavy forwarder (or intermediate forwader) which is a full Enterprise Splunk instance then it should (just go there), not on indexers. If your data is coming from univeraal forwarder to indexers directly this should be done on Indexers.

0 Karma

Ultra Champion
  1. Why the ... at the start of your source:: stanza in props?
  2. Your regex in transforms.conf doesn’t make much sense to me. Can you explain based on the sample folder structure which bit you want to capture into the source type field? You’re currently assigning $1 which is the first capture group and based on your regex that is the /var/log/ bit...
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...