Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Inputs defined sourcetype overwrite a specific sou...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inputs defined sourcetype overwrite a specific source using props and transforms
svemurilv
Path Finder
06-01-2018
01:42 PM
Hi ,
all my /var/log file are are input configured to redirect to sourcetype=unixlogs and now i would like to redirect all /var/log/smart* to different sourcetypes based on the folder structure its having.
`[monitor:///var/log]
disabled = 0
index=inux
sourcetype = unixlog`
Props
`[ source::.../var/log/smart... ]
TRANSFORMS-setSourceType = smart_source`
Transforms:
[ smart_source ]
REGEX ="(\/var\/log\/)(?<![^\/\n])(\w..+)\/(\w..+)"
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::$1
SOURCE_KEY = MetaData:Source
regx also not working
/var/log/smart-agent/smart-agent.log
/var/log/smart-agent/smart-agent.out
/var/log/smart-infra-solr/solr.log
/var/log/smart-infra-solr/solr_gc.log
/var/log/smart-metrics-collector/smart-metrics-collector.log
/var/log/smart-metrics-collector/collector-gc.log-201804231606
/var/log/smart-metrics-collector/collector-gc.log-201805100755
/var/log/smart-metrics-collector/gc.log-201804231606
/var/log/smart-metrics-collector/gc.log-201805100755
/var/log/smart-metrics-collector/hbase-ams-master-xo1ph140.log
/var/log/smart-metrics-grafana/grafana.log
/var/log/smart-metrics-grafana/grafana.out
/var/log/smart-metrics-monitor/smart-metrics-monitor.out
/var/log/smart-server/smart-alerts.log
/var/log/smart-server/smart-audit.log
/var/log/smart-server/smart-config-changes.log
/var/log/smart-server/smart-eclipselink.log
/var/log/smart-server/smart-server.log
/var/log/smart-server/smart-server-command.log
/var/log/smart-server/capshed-view/capshed-view.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-02-2018
10:35 AM
If you're monitoring the path [monitor:///var/log], then to override sourcetype of all sources/files with path starting with /var/log/smart, try this on your indexer/heavy forwarder
Props (no spaces in stanza name)
[source::/var/log/smart*]
TRANSFORMS-setSourceType = smart_source
Transforms:(no spaces in stanza name)
[smart_source]
# Do not need doublequotes. Simple regex to capture folder name after /var/log
REGEX = \/var\/log\/([^\/\n]+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::$1
SOURCE_KEY = MetaData:Source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
svemurilv
Path Finder
06-06-2018
10:17 AM
Do i need to get those props and transforms on indexers also ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-06-2018
11:06 AM
If youre using a heavy forwarder (or intermediate forwader) which is a full Enterprise Splunk instance then it should (just go there), not on indexers. If your data is coming from univeraal forwarder to indexers directly this should be done on Indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FrankVl
Ultra Champion
06-01-2018
05:44 PM
- Why the
...at the start of your source:: stanza in props? - Your regex in transforms.conf doesn’t make much sense to me. Can you explain based on the sample folder structure which bit you want to capture into the source type field? You’re currently assigning
$1which is the first capture group and based on your regex that is the/var/log/bit...
Get Updates on the Splunk Community!
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Cultivate Your Career Growth with Fresh Splunk Training
Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...
