Hello Guys, newbie here.
I've got data that's being sent to a generic sourcetype and I want to carve out another sourcetype based on this particular one. Is that possible and are there any ramifications to note on doing this?
@oylkm you can keep it same app under /local dir.. not in default dir it works but local is suggested. You might need to test new sourcetype settings.
It's not really a generic log per se, the index and sourcetype is based on F5 logs and I want to carve out a new sourcetype to see a different type of data and we are not using the splunkbase app for this.
@oylkm then you might need to define line breaking and timestamp extraction. If there is a addon for F5 in splunkbase it might be already having sourcetype definitions that you are after.
I'm thinking along the lines of taking a sample of the new data that I want to see in the new sourcetype and define it but any recommendations is fine.
Hi @oylkm
You can create your own sourcetype from default generic sourcetype. Just goto props.conf and copy contents under generic sourcetype and create your own. you can create new props.conf under $SPLUNK_HOME/system/local OR $SPLUNK_HOME/etc/apps/<your_app_name>/local. The new props shall be deployed to HF/indexer depends on your Splunk infra.
change generic to new sourcetype in inputs.conf at origin.
---
An upvote would be appreciated and Accept solution if it helps!
The data inputs is actually defined in inputs.conf to monitor a location, attach to an index/sourcetype and nothing is defined in the current props.conf. Will it still work if I create a new props.conf and define a separate settings?
@oylkm inputs always on host where data present. Splunk by default ships with few generic sourcetypes which one you are after?
default generic sourcetypes are usually present under system/default dir in props.conf, custom sourcetypes Splunk recommends to put it under system/local or app_name/local directory and if your splunk environment is distributed then you have to put them under HF, if there is no HF put them on indexers. It does work with new sourcetypes (define your own name) it just to be deployed under right place and having correct line_breaking and timestamp extractions.
Since you are going to use settings of default sourcetypes, just changing the name it should work fine. You can read more here - https://docs.splunk.com/Documentation/SplunkCloud/8.2.2105/Data/Whysourcetypesmatter
---
An upvote would be appreciated and Accept solution if it helps!
So this is what I've come up with on the base sourcetype.
[apm:apm:syslog]
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE_DATE = true
TZ = Newzealand/Auckland
Are you suggesting I create another props.conf file under the same app? If so how do I make it reference the same index as well. I want to call the new sourcetype apm:apm:syslog:ltm.
@oylkm you can keep it same app under /local dir.. not in default dir it works but local is suggested. You might need to test new sourcetype settings.