Getting Data In

Rename sourcetype to keep all the same no -too_small or -2,-3 added

aricv
New Member

We have a 3 index/3 search head cluster with master and deployment server.

I have a inputs.conf with

[monitor:L:\SampleServices\Debug\*]
disabled = false
index = sample_services

But we keep getting the -too_small and the -2, -3 appended to new sourcetypes

there are 15 diff files being monitored under the Debug* I dont want to have to create a seperate stanza for every file they add ..

I just want it to make the sourcetype the name of the file.. not add anything on the end.

thanks

0 Karma

sbbadri
Motivator

There is. You will need to specify this in your props/transforms files any where indexing is being performed.

props.conf

[source::...regex_to_match_filename]
TRANSFORMS-sourcetype_naming = dynamic_sourcetype_naming

transforms.conf

[dynamic_sourcetype_naming]
DEST_KEY = MetaData::Sourcetype
SOURCE_KEY = MetaData::Source
REGEX = YOUR_REGEX_TO_PULL_THE_FILENAME
FORMAT = sourcetype::$1
WRITE_META = true

Referances
http://docs.splunk.com/Documentation/Splunk/latest/admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...