Getting Data In

Will our current configuration work for monitoring our application logs and changing the sourcetype?

rrmavani
Engager

Hello Splunk Guru,

In our environment, we have many Universal forwarders, few indexers and couple of search heads.

Files to monitor from many forwarders

/application/app1/logs/*
/application/app2/logs/*
/application/app3/logs/*

Will the configuration below work? If not work, what should we do?
In Forwarder
inputs.conf

[monitor:///application/*/logs/*]
followTail = 0 

props.conf

[source::/application/*/logs/*]
TRANSFORMS-change_stuff = change_sourcetype

In Indexer
transforms.conf

[change_sourcetype]
SOURCE_KEY = MetaData:Source
REGEX = /application/*/logs/*
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::$1
0 Karma
1 Solution

woodcock
Esteemed Legend

If I understand your goal (unsure), the only changes that you need to make are to remove followTail = 0 and replace it with a preliminary sourcetype setting (which you will override later) like this:

sourcetype = ChangeToAppName

Then change your transforms.conf line to this:

REGEX = /application/([^/]+)/logs

This will change your sourcetypetype to the 2nd segment of your path, which I think is what you are trying to do (it really doesn't make sense to set your sourcetype to the same thing as your source).

View solution in original post

woodcock
Esteemed Legend

If I understand your goal (unsure), the only changes that you need to make are to remove followTail = 0 and replace it with a preliminary sourcetype setting (which you will override later) like this:

sourcetype = ChangeToAppName

Then change your transforms.conf line to this:

REGEX = /application/([^/]+)/logs

This will change your sourcetypetype to the 2nd segment of your path, which I think is what you are trying to do (it really doesn't make sense to set your sourcetype to the same thing as your source).

Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...