case statement logic in inputs.conf

a212830 · ‎11-15-2013

Hi,

Is there a way to setup inputs.conf so that a default sourcetype (and it's associated props) will be used, unless a later, more precise association is found?

For example:

[default)
anything....

[specific_match1)
stuff

[specific_match2]
stuff

We use rsyslog to route syslog messages to logfiles. The logfiles are written to ../YYYY/MM/DD/system-hostname.log and we then use inputs.conf to determine the sourcetype. The match is typically done on the name of the host - so, hostA* are netscreens, and hostB* are some other device type... In prod, this works fine. However, when a new device type comes on-board, we test it first, and I become the bottleneck, because inputs.conf needs to be updated. My hope is to setup something as described above and put it in test, so that the engineers can route any device syslog, without requiring my intervention.

Is this possible?

dmaislin_splunk · ‎11-15-2013

You would use props and transforms to do that:

http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad

a212830 · ‎11-15-2013

I can, but before I go down that path, I guess my question is how does the forwarder handle matches? Does it take the first? The last? Does it do nothing? If I know it behaves in a certain manner, then I can test out that situation.

dmaislin_splunk · ‎11-15-2013

Can you be a bit more specific. Give me some real examples with full source path/host.log so I can see how you are doing this today. Then show me a new host that is added that doesn't fit that criteria. I am happy to help.

a212830 · ‎11-15-2013

I've read that doc. I don't see any setup that addresses my situation. Can you be more specific?

case statement logic in inputs.conf

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!