Getting Data In

Is it possible to dynamically change sourcetype based upon host?

a212830
Champion

Hi,

I have a logfile that contains lots of hosts (coming in from syslog). I want to dynamically change the sourcetype based upon the host value. (It has to be host, not just text in the stream). Is this possible? Not that there are numerous other inputs coming in on this system, some of which also contain these same hosts, but I don't want them included in this setup.

Labels (1)
Tags (2)
0 Karma
1 Solution

okrabbe_splunk
Splunk Employee
Splunk Employee

You can match a host in props.conf and set a source type. Host stanzas override sourcetype stanza.

[syslog]

blah blah

[host::myserver*]
sourcetype=special_sourcetype

Even though the event came in as syslog, as long as the host stanza matches it will override syslog.

Here is the props.conf spec for more info:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

View solution in original post

okrabbe_splunk
Splunk Employee
Splunk Employee

You can match a host in props.conf and set a source type. Host stanzas override sourcetype stanza.

[syslog]

blah blah

[host::myserver*]
sourcetype=special_sourcetype

Even though the event came in as syslog, as long as the host stanza matches it will override syslog.

Here is the props.conf spec for more info:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

jfaldmomacu
Path Finder

This does not work anymore. I'm not sure if it would have ever worked, but according to the documentation sourcetype=something only works when applied to a source. A transforms.conf file is needed. The example given in another reply almost works, it was missing the "sourcetype::" on the FORMAT line.

[syslog]
TRANSFORMS-set_sourcetype = set_sourcetype

transforms.conf

[set_sourcetype]
FORMAT = sourcetype::new_sourcetype
REGEX = myserver
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype

0 Karma

a212830
Champion

Thanks. Yes, I'm doing that on a linux system, but this is legacy stuff running on Solaris, and uses standard syslog daemons. Thanks for all the info.

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

Unfortunately I do not know of a way to do this based on a lookup.

One thing I would say though is that sometimes it is easier to fix this on the way in rather than trying to fix it in Splunk.

Many times people will have their syslog receiver split out the syslog into different directories based on hosts and then you would just configure the SPlunk forwarder to map these directories to source types.

a212830
Champion

Thanks. One last question - would it be possible to do this based upon a lookup? I did a search, but I don't see any examples of this being done.

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

ok, if you need it dependent you can try this.

props.conf

[syslog]
TRANSFORMS-set_sourcetype = set_sourcetype

transforms.conf

[set_sourcetype]
FORMAT = new_sourcetype
REGEX = myserver
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype

0 Karma

a212830
Champion

Is the host stanza a sub-set of the syslog stanza? I have other inputs that will have the same hosts, but I don't want those modified.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...