Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is it possible to dynamically change sourcetype based upon host?

a212830
Champion
‎05-27-2013 08:10 AM

Hi,

I have a logfile that contains lots of hosts (coming in from syslog). I want to dynamically change the sourcetype based upon the host value. (It has to be host, not just text in the stream). Is this possible? Not that there are numerous other inputs coming in on this system, some of which also contain these same hosts, but I don't want them included in this setup.

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎05-27-2013 07:13 PM

You can match a host in props.conf and set a source type. Host stanzas override sourcetype stanza.

[syslog]

blah blah

[host::myserver*]
sourcetype=special_sourcetype

Even though the event came in as syslog, as long as the host stanza matches it will override syslog.

Here is the props.conf spec for more info:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

View solution in original post

Reply
Solved! Jump to solution
Solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎05-27-2013 07:13 PM

You can match a host in props.conf and set a source type. Host stanzas override sourcetype stanza.

[syslog]

blah blah

[host::myserver*]
sourcetype=special_sourcetype

Even though the event came in as syslog, as long as the host stanza matches it will override syslog.

Here is the props.conf spec for more info:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Reply
Solved! Jump to solution

jfaldmomacu
Path Finder
‎10-27-2022 08:35 AM

This does not work anymore. I'm not sure if it would have ever worked, but according to the documentation sourcetype=something only works when applied to a source. A transforms.conf file is needed. The example given in another reply almost works, it was missing the "sourcetype::" on the FORMAT line.

[syslog]
TRANSFORMS-set_sourcetype = set_sourcetype

transforms.conf

[set_sourcetype]
FORMAT = sourcetype::new_sourcetype
REGEX = myserver
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype

Reply
Solved! Jump to solution

a212830
Champion
‎05-28-2013 05:34 PM

Thanks. Yes, I'm doing that on a linux system, but this is legacy stuff running on Solaris, and uses standard syslog daemons. Thanks for all the info.

0 Karma
Reply
Solved! Jump to solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎05-28-2013 12:05 PM

Unfortunately I do not know of a way to do this based on a lookup.

One thing I would say though is that sometimes it is easier to fix this on the way in rather than trying to fix it in Splunk.

Many times people will have their syslog receiver split out the syslog into different directories based on hosts and then you would just configure the SPlunk forwarder to map these directories to source types.

Reply
Solved! Jump to solution

a212830
Champion
‎05-28-2013 08:08 AM

Thanks. One last question - would it be possible to do this based upon a lookup? I did a search, but I don't see any examples of this being done.

0 Karma
Reply
Solved! Jump to solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎05-28-2013 06:09 AM

ok, if you need it dependent you can try this.

props.conf

[syslog]
TRANSFORMS-set_sourcetype = set_sourcetype

transforms.conf

[set_sourcetype]
FORMAT = new_sourcetype
REGEX = myserver
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎05-28-2013 03:28 AM

Is the host stanza a sub-set of the syslog stanza? I have other inputs that will have the same hosts, but I don't want those modified.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...