Setting sourcetype and source fields dynamically v...

nterry · ‎04-05-2012

I was reading the docs for inputs.conf and noticed that there are host _regex and host _segment attributes to the monitor stanzas. I want to be able to set the source and sourcetype attributes with a regex (just like host _regex and host _segment) as well. I know you can set it in transforms.conf, but I need to be able to set it on a per-file basis, not a per-event basis.

Does anyone have any ideas as to how to accomplish this?

kristian_kolb · ‎04-06-2012

Well, perhaps this may not be applicable for you, but you can set the sourcetype somewhat dynamically with props.conf rules. This will examine the content of a file and set the sourcetype if the rules match.

[rule::bar_some]
sourcetype = source_with_lots_of_bars
# if more than 80% of lines have "----", but fewer than 70% have "####" declare this a
# "source_with_lots_of_bars"
MORE_THAN_80 = ----
LESS_THAN_70 = ####

A rule can have many MORE_THAN and LESS_THAN patterns, and all are required for the rule
to match.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

Hope this helps,

Kristian

Stephen_Sorkin · ‎04-05-2012

You can only set source and sourcetype to a fixed string in inputs.conf. You cannot set it to be a regex or segment of the pathname. To set to a fixed string, use source = ... or sourcetype = ....

Setting sourcetype and source fields dynamically via inputs.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation