- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Renaming sourcetype and source with props and ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have some VIOS servers that are special-purpose machines that aren't allowed to have a UF installed. I want to hotwire the Splunk_TA_nix scripts to drop their output on an NFS share for Splunk to pick up. Each VIOS server will drop in a different directory under /exports/ and each script will write to a file with it's name (df.sh > df.log)
I want df.log to go to index=os, sourcetype=df, source=df
ps, iostat, vmstat, etc...
This isn't working:
inputs.conf
[monitor:///exports/vio*/*.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os
props.conf
[source:.../df.log]
sourcetype = df
TRANSFORMS-viosdf = viosdf
[source:.../psdf.log]
sourcetype = ps
TRANSFORMS-viosps = viosps
transforms.conf
[viosdf]
DEST_KEY = MetaData:Source
FORMAT = source::df
[viosps]
DEST_KEY = MetaData:Source
FORMAT = source::ps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not do it all in inputs.conf?
[monitor:///exports/vio*/df.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os
sourcetype = df
source = df
[monitor:///exports/vio*/ps.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os
sourcetype = ps
source = ps
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not do it all in inputs.conf?
[monitor:///exports/vio*/df.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os
sourcetype = df
source = df
[monitor:///exports/vio*/ps.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os
sourcetype = ps
source = ps
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think it works for defining "source" in inputs.conf
If I define host/host_segment then "source" always go to default to show as filename(which is what I don't want).
I am modifying on Universal Forwarder.
If I don't define host/host_segment then "source" name is OK but host goes to default server name...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ouch. That's painfully obvious and I missed it.
Thanks!
Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...
Enterprise Security Content Update (ESCU) | New Releases
Index This | Divide 100 by half. What do you get?
