Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

case statement logic in inputs.conf

a212830
Champion
‎11-15-2013 06:19 AM

Hi,

Is there a way to setup inputs.conf so that a default sourcetype (and it's associated props) will be used, unless a later, more precise association is found?

For example:

[default)
anything....

[specific_match1)
stuff

[specific_match2]
stuff

We use rsyslog to route syslog messages to logfiles. The logfiles are written to ../YYYY/MM/DD/system-hostname.log and we then use inputs.conf to determine the sourcetype. The match is typically done on the name of the host - so, hostA* are netscreens, and hostB* are some other device type... In prod, this works fine. However, when a new device type comes on-board, we test it first, and I become the bottleneck, because inputs.conf needs to be updated. My hope is to setup something as described above and put it in test, so that the engineers can route any device syslog, without requiring my intervention.

Is this possible?

Tags (2)
0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎11-15-2013 07:08 AM

You would use props and transforms to do that:

http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad

0 Karma
Reply

a212830
Champion
‎11-15-2013 08:02 AM

I can, but before I go down that path, I guess my question is how does the forwarder handle matches? Does it take the first? The last? Does it do nothing? If I know it behaves in a certain manner, then I can test out that situation.

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎11-15-2013 07:35 AM

Can you be a bit more specific. Give me some real examples with full source path/host.log so I can see how you are doing this today. Then show me a new host that is added that doesn't fit that criteria. I am happy to help.

0 Karma
Reply

a212830
Champion
‎11-15-2013 07:24 AM

I've read that doc. I don't see any setup that addresses my situation. Can you be more specific?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...