Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Mulitple versions of logs creating separate sourcetypes?

onegreydot
Explorer
‎10-18-2013 07:08 AM

I have a log file that I created a transforms.conf and props.conf for specifying the log source in the props with [source::.../name.log]. The application generating the log was recently updated and the log file now has the same name.log but different header fields. Righ now I am extracting the fields using the REPORT statement and having DELIMS and FIELDS. But since the log file changed the FIELDS are now different. What would be the best way to maintaining both versions of logs inside of my splunk instance without having to rename the actual log?

0 Karma
Reply

emiller42
Motivator
‎10-18-2013 11:03 AM

Do the existing transforms still function on the new format of data, just with incorrect fields? Or does it not apply at all?

If it doesn't apply at all, then you can simply add another transforms.conf stanza for the new format, and have the props.conf stanza use both. Splunk will try both and apply whichever works.

However, if your extraction still technically works, just is incorrect because the data changed, that complicates things. Can you provide sample data and your existing configuration?

0 Karma
Reply

emiller42
Motivator
‎10-20-2013 02:45 PM

You may have to get more explicit and use regex to parse out the fields then. I would try to make regex extractions that only match one of the two formats. That way when both are applied, there's no way the fields can be swapped around like that.

0 Karma
Reply

onegreydot
Explorer
‎10-20-2013 05:53 AM

Tried adding that in the props.conf and it does extract both sets now.

However it still doesn't distinguish between logs, because the headers have changed. I should have put that in the example above.

So instead of "src_ip", "src_port", "dest_ip" ...
It may be "src_ip", "src_port", "host", "dest_ip" ...

The above makes it so that host could have the dest_ip and vice versa when searching the logs. If there were just additional headers to the log the above solution would work great!

Thanks!

0 Karma
Reply

emiller42
Motivator
‎10-18-2013 11:34 AM

Try just this in your props.conf settings:

REPORT_name_log = old_log,new_log
0 Karma
Reply

onegreydot
Explorer
‎10-18-2013 11:29 AM

The format of the log files in the transforms.conf looks something like:
old log:

[old_log] FIELDS="timestamp", "src_ip", "src_port", "dest_ip", "dest_port"
DELIMS=","

new log:
[new_log]
FIELDS="timestamp", "src_ip", "src_port", "dest_ip", "dest_port", "url", "level", "message"
DELIMS=","

In my props.conf I have:
[source::.../name.log]
sourcetype = name_log

[name_log]
REPORT-old_log = old_log
...
...

As you can see the new version of the log has a few more fields. I will actually try putting both REPORT statments in the props.conf and see how that goes.

  • Thanks for the help.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...