Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Renaming sourcetype and source with props and ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
barak_l_griffis
Engager
06-06-2013
11:02 AM
We have some VIOS servers that are special-purpose machines that aren't allowed to have a UF installed. I want to hotwire the Splunk_TA_nix scripts to drop their output on an NFS share for Splunk to pick up. Each VIOS server will drop in a different directory under /exports/ and each script will write to a file with it's name (df.sh > df.log)
I want df.log to go to index=os, sourcetype=df, source=df
ps, iostat, vmstat, etc...
This isn't working:
inputs.conf
[monitor:///exports/vio*/*.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os
props.conf
[source:.../df.log]
sourcetype = df
TRANSFORMS-viosdf = viosdf
[source:.../psdf.log]
sourcetype = ps
TRANSFORMS-viosps = viosps
transforms.conf
[viosdf]
DEST_KEY = MetaData:Source
FORMAT = source::df
[viosps]
DEST_KEY = MetaData:Source
FORMAT = source::ps
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
06-06-2013
11:28 PM
Why not do it all in inputs.conf?
[monitor:///exports/vio*/df.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os
sourcetype = df
source = df
[monitor:///exports/vio*/ps.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os
sourcetype = ps
source = ps
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
06-06-2013
11:28 PM
Why not do it all in inputs.conf?
[monitor:///exports/vio*/df.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os
sourcetype = df
source = df
[monitor:///exports/vio*/ps.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os
sourcetype = ps
source = ps
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ff9231
Loves-to-Learn
05-25-2021
10:36 PM
I don't think it works for defining "source" in inputs.conf
If I define host/host_segment then "source" always go to default to show as filename(which is what I don't want).
I am modifying on Universal Forwarder.
If I don't define host/host_segment then "source" name is OK but host goes to default server name...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
barak_l_griffis
Engager
06-07-2013
04:02 AM
Ouch. That's painfully obvious and I missed it.
Thanks!
Get Updates on the Splunk Community!
What’s New in Splunk Observability Cloud – June 2025
What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...
Almost Too Eventful Assurance: Part 2
Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
Leveraging Detections from the Splunk Threat Research Team & Cisco Talos
Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...
