Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Mulitple versions of logs creating separate sourcetypes?

onegreydot
Explorer
‎10-18-2013 07:08 AM

I have a log file that I created a transforms.conf and props.conf for specifying the log source in the props with [source::.../name.log]. The application generating the log was recently updated and the log file now has the same name.log but different header fields. Righ now I am extracting the fields using the REPORT statement and having DELIMS and FIELDS. But since the log file changed the FIELDS are now different. What would be the best way to maintaining both versions of logs inside of my splunk instance without having to rename the actual log?

0 Karma
Reply

emiller42
Motivator
‎10-18-2013 11:03 AM

Do the existing transforms still function on the new format of data, just with incorrect fields? Or does it not apply at all?

If it doesn't apply at all, then you can simply add another transforms.conf stanza for the new format, and have the props.conf stanza use both. Splunk will try both and apply whichever works.

However, if your extraction still technically works, just is incorrect because the data changed, that complicates things. Can you provide sample data and your existing configuration?

0 Karma
Reply

emiller42
Motivator
‎10-20-2013 02:45 PM

You may have to get more explicit and use regex to parse out the fields then. I would try to make regex extractions that only match one of the two formats. That way when both are applied, there's no way the fields can be swapped around like that.

0 Karma
Reply

onegreydot
Explorer
‎10-20-2013 05:53 AM

Tried adding that in the props.conf and it does extract both sets now.

However it still doesn't distinguish between logs, because the headers have changed. I should have put that in the example above.

So instead of "src_ip", "src_port", "dest_ip" ...
It may be "src_ip", "src_port", "host", "dest_ip" ...

The above makes it so that host could have the dest_ip and vice versa when searching the logs. If there were just additional headers to the log the above solution would work great!

Thanks!

0 Karma
Reply

emiller42
Motivator
‎10-18-2013 11:34 AM

Try just this in your props.conf settings:

REPORT_name_log = old_log,new_log
0 Karma
Reply

onegreydot
Explorer
‎10-18-2013 11:29 AM

The format of the log files in the transforms.conf looks something like:
old log:

[old_log] FIELDS="timestamp", "src_ip", "src_port", "dest_ip", "dest_port"
DELIMS=","

new log:
[new_log]
FIELDS="timestamp", "src_ip", "src_port", "dest_ip", "dest_port", "url", "level", "message"
DELIMS=","

In my props.conf I have:
[source::.../name.log]
sourcetype = name_log

[name_log]
REPORT-old_log = old_log
...
...

As you can see the new version of the log has a few more fields. I will actually try putting both REPORT statments in the props.conf and see how that goes.

  • Thanks for the help.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...