Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rename sourcetype to keep all the same no -too_small or -2,-3 added

aricv
New Member
‎07-07-2017 07:22 AM

We have a 3 index/3 search head cluster with master and deployment server.

I have a inputs.conf with

[monitor:L:\SampleServices\Debug\*]
disabled = false
index = sample_services

But we keep getting the -too_small and the -2, -3 appended to new sourcetypes

there are 15 diff files being monitored under the Debug* I dont want to have to create a seperate stanza for every file they add ..

I just want it to make the sourcetype the name of the file.. not add anything on the end.

thanks

0 Karma
Reply

sbbadri
Motivator
‎07-07-2017 07:31 AM

There is. You will need to specify this in your props/transforms files any where indexing is being performed.

props.conf

[source::...regex_to_match_filename]
TRANSFORMS-sourcetype_naming = dynamic_sourcetype_naming

transforms.conf

[dynamic_sourcetype_naming]
DEST_KEY = MetaData::Sourcetype
SOURCE_KEY = MetaData::Source
REGEX = YOUR_REGEX_TO_PULL_THE_FILENAME
FORMAT = sourcetype::$1
WRITE_META = true

Referances
http://docs.splunk.com/Documentation/Splunk/latest/admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Reply
Get Updates on the Splunk Community!

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...