Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Setting sourcetype based on source with wildcards via web console?

cmeyers
Explorer
‎02-14-2017 03:12 PM

Hello all,
I am looking to set the sourcetype of my logs based of the logs' source. I know how to do this by modifying the .conf file, but I need to know how to do this from the web console. I know I can set the sourcetype from the monitoring directories, but it won't accept wildcards. Essentially want to get the example below, but via the web console.

[source::/file/archive/*BSM*]
sourcetype = solaris_bsm

Do I have to monitor the directory with a white/black list and then set the sourcetype? The directory I am monitoring will have several different desired sourcetypes in it. Will I have to, for each sourcetype in the directory, have its own data input configured to monitor the directory with the desired white/blacklist regex?
Thanks in advance for the help!

0 Karma
Reply

woodcock
Esteemed Legend
‎02-19-2017 07:48 PM

You can edit the configuration files somewhere else and then deploy then via app (Deployment Server or Search Head admin GUI).

0 Karma
Reply

cmeyers
Explorer
‎02-15-2017 11:01 AM

Update:
Set up the directory to be monitored with a whitelist for files that fall under a specific sourcetype. Worked perfectly, with the assuming I can just set up several monitors on the same dir, with a whitelist of for files. That was not the case. Can only have one directory monitor set up.

0 Karma
Reply

somesoni2
Revered Legend
‎02-15-2017 11:09 AM

I don't think the Index-time override of source can be done from the Splunk Web UI. You would need to use conf file methods. To override sourcetype based on source values (like in the question), you need to update props.conf on the forwarder (see this). I

0 Karma
Reply

cmeyers
Explorer
‎02-15-2017 11:13 AM

That is how I have done it in the past, by just updating the props.conf. With my company's new structure, we don't have write access to the conf files and need to do everything with the web console. I was just hoping there was a way to do it without having to access the conf files.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...