Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rename sourcetype to keep all the same no -too_small or -2,-3 added

aricv
New Member
‎07-07-2017 07:22 AM

We have a 3 index/3 search head cluster with master and deployment server.

I have a inputs.conf with

[monitor:L:\SampleServices\Debug\*]
disabled = false
index = sample_services

But we keep getting the -too_small and the -2, -3 appended to new sourcetypes

there are 15 diff files being monitored under the Debug* I dont want to have to create a seperate stanza for every file they add ..

I just want it to make the sourcetype the name of the file.. not add anything on the end.

thanks

0 Karma
Reply

sbbadri
Motivator
‎07-07-2017 07:31 AM

There is. You will need to specify this in your props/transforms files any where indexing is being performed.

props.conf

[source::...regex_to_match_filename]
TRANSFORMS-sourcetype_naming = dynamic_sourcetype_naming

transforms.conf

[dynamic_sourcetype_naming]
DEST_KEY = MetaData::Sourcetype
SOURCE_KEY = MetaData::Source
REGEX = YOUR_REGEX_TO_PULL_THE_FILENAME
FORMAT = sourcetype::$1
WRITE_META = true

Referances
http://docs.splunk.com/Documentation/Splunk/latest/admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...