Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Setting sourcetype based on source with wildcards via web console?

cmeyers
Explorer
‎02-14-2017 03:12 PM

Hello all,
I am looking to set the sourcetype of my logs based of the logs' source. I know how to do this by modifying the .conf file, but I need to know how to do this from the web console. I know I can set the sourcetype from the monitoring directories, but it won't accept wildcards. Essentially want to get the example below, but via the web console.

[source::/file/archive/*BSM*]
sourcetype = solaris_bsm

Do I have to monitor the directory with a white/black list and then set the sourcetype? The directory I am monitoring will have several different desired sourcetypes in it. Will I have to, for each sourcetype in the directory, have its own data input configured to monitor the directory with the desired white/blacklist regex?
Thanks in advance for the help!

0 Karma
Reply

woodcock
Esteemed Legend
‎02-19-2017 07:48 PM

You can edit the configuration files somewhere else and then deploy then via app (Deployment Server or Search Head admin GUI).

0 Karma
Reply

cmeyers
Explorer
‎02-15-2017 11:01 AM

Update:
Set up the directory to be monitored with a whitelist for files that fall under a specific sourcetype. Worked perfectly, with the assuming I can just set up several monitors on the same dir, with a whitelist of for files. That was not the case. Can only have one directory monitor set up.

0 Karma
Reply

somesoni2
Revered Legend
‎02-15-2017 11:09 AM

I don't think the Index-time override of source can be done from the Splunk Web UI. You would need to use conf file methods. To override sourcetype based on source values (like in the question), you need to update props.conf on the forwarder (see this). I

0 Karma
Reply

cmeyers
Explorer
‎02-15-2017 11:13 AM

That is how I have done it in the past, by just updating the props.conf. With my company's new structure, we don't have write access to the conf files and need to do everything with the web console. I was just hoping there was a way to do it without having to access the conf files.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...