- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Setting sourcetype based on source with wildca...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Setting sourcetype based on source with wildcards via web console?
Hello all,
I am looking to set the sourcetype of my logs based of the logs' source. I know how to do this by modifying the .conf file, but I need to know how to do this from the web console. I know I can set the sourcetype from the monitoring directories, but it won't accept wildcards. Essentially want to get the example below, but via the web console.
[source::/file/archive/*BSM*]
sourcetype = solaris_bsm
Do I have to monitor the directory with a white/black list and then set the sourcetype? The directory I am monitoring will have several different desired sourcetypes in it. Will I have to, for each sourcetype in the directory, have its own data input configured to monitor the directory with the desired white/blacklist regex?
Thanks in advance for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can edit the configuration files somewhere else and then deploy then via app (Deployment Server or Search Head admin GUI).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update:
Set up the directory to be monitored with a whitelist for files that fall under a specific sourcetype. Worked perfectly, with the assuming I can just set up several monitors on the same dir, with a whitelist of for files. That was not the case. Can only have one directory monitor set up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think the Index-time override of source can be done from the Splunk Web UI. You would need to use conf file methods. To override sourcetype based on source values (like in the question), you need to update props.conf on the forwarder (see this). I
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is how I have done it in the past, by just updating the props.conf. With my company's new structure, we don't have write access to the conf files and need to do everything with the web console. I was just hoping there was a way to do it without having to access the conf files.
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
