Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rename sourcetype to keep all the same no -too_small or -2,-3 added

aricv
New Member
‎07-07-2017 07:22 AM

We have a 3 index/3 search head cluster with master and deployment server.

I have a inputs.conf with

[monitor:L:\SampleServices\Debug\*]
disabled = false
index = sample_services

But we keep getting the -too_small and the -2, -3 appended to new sourcetypes

there are 15 diff files being monitored under the Debug* I dont want to have to create a seperate stanza for every file they add ..

I just want it to make the sourcetype the name of the file.. not add anything on the end.

thanks

0 Karma
Reply

sbbadri
Motivator
‎07-07-2017 07:31 AM

There is. You will need to specify this in your props/transforms files any where indexing is being performed.

props.conf

[source::...regex_to_match_filename]
TRANSFORMS-sourcetype_naming = dynamic_sourcetype_naming

transforms.conf

[dynamic_sourcetype_naming]
DEST_KEY = MetaData::Sourcetype
SOURCE_KEY = MetaData::Source
REGEX = YOUR_REGEX_TO_PULL_THE_FILENAME
FORMAT = sourcetype::$1
WRITE_META = true

Referances
http://docs.splunk.com/Documentation/Splunk/latest/admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...