Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rename sourcetype to keep all the same no -too_small or -2,-3 added

aricv
New Member
‎07-07-2017 07:22 AM

We have a 3 index/3 search head cluster with master and deployment server.

I have a inputs.conf with

[monitor:L:\SampleServices\Debug\*]
disabled = false
index = sample_services

But we keep getting the -too_small and the -2, -3 appended to new sourcetypes

there are 15 diff files being monitored under the Debug* I dont want to have to create a seperate stanza for every file they add ..

I just want it to make the sourcetype the name of the file.. not add anything on the end.

thanks

0 Karma
Reply

sbbadri
Motivator
‎07-07-2017 07:31 AM

There is. You will need to specify this in your props/transforms files any where indexing is being performed.

props.conf

[source::...regex_to_match_filename]
TRANSFORMS-sourcetype_naming = dynamic_sourcetype_naming

transforms.conf

[dynamic_sourcetype_naming]
DEST_KEY = MetaData::Sourcetype
SOURCE_KEY = MetaData::Source
REGEX = YOUR_REGEX_TO_PULL_THE_FILENAME
FORMAT = sourcetype::$1
WRITE_META = true

Referances
http://docs.splunk.com/Documentation/Splunk/latest/admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...