Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

conditional index and sourcetype name inputs.conf by file-naming-convention

hiddenkirby
Contributor
‎09-09-2010 06:33 PM

So my goal is to be able to pass a file to a splunk-monitored directory.. and have splunk apply it to the appropriate index and sourcetype...by a sort of naming convention.

file would come in as "indexname_sourcetype_filename.txt" or whatever... and my inputs.conf would do the appropriate thing.

is this possible?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎09-09-2010 08:43 PM

Yes, this should be possible. It would be something along these lines:

In transforms.conf:

[override-sourcetype]
SOURCE_KEY = source
DEST_KEY = MetaData:Sourcetype
REGEX = \w+_(\w+)_\w+\.txt$
FORMAT = sourcetype::$1

[override-index]
SOURCE_KEY = source
DEST_KEY = _MetaData:Index
REGEX = (\w+)_\w+_\w+\.txt$
FORMAT = index::$1

And then in props.conf:

[source::/var/log/inputdir/*]
TRANSFORMS-sourcetype = override-sourcetype
TRANSFORMS-index = override-index

View solution in original post

Reply
Solved! Jump to solution

cssmdi
Explorer
‎11-27-2019 02:38 AM

Hi
I had some trouble defining an indexname out of the path and filename of the sourcefile.
In MetaData:Source, the sourcename is prefixed with 'source::', so you have to consider this in the regex. Further, in the index name, defined in 'FORMAT = ' , there is no prefix. The configuration in the example above has to be 'FORMAT = $1' and not 'FORMAT = index::$1'.

0 Karma
Reply
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎09-09-2010 08:43 PM

Yes, this should be possible. It would be something along these lines:

In transforms.conf:

[override-sourcetype]
SOURCE_KEY = source
DEST_KEY = MetaData:Sourcetype
REGEX = \w+_(\w+)_\w+\.txt$
FORMAT = sourcetype::$1

[override-index]
SOURCE_KEY = source
DEST_KEY = _MetaData:Index
REGEX = (\w+)_\w+_\w+\.txt$
FORMAT = index::$1

And then in props.conf:

[source::/var/log/inputdir/*]
TRANSFORMS-sourcetype = override-sourcetype
TRANSFORMS-index = override-index
Reply
Solved! Jump to solution

platform_pie
New Member
‎08-23-2011 05:47 PM

BTW - I was doing this for just the sourcetype override, and needed to change SOURCE_KEY = MetaData:Source in the transforms.conf [override-sourcetype] stanza to get this to work.

0 Karma
Reply
Solved! Jump to solution

hiddenkirby
Contributor
‎09-10-2010 02:48 PM

ok so no way to create the index dynamically. thanks for this. 🙂

0 Karma
Reply
Solved! Jump to solution

southeringtonp
Motivator
‎09-10-2010 02:17 PM

No, configure inputs.conf as normal, and create each destination index ahead of time via indexes.conf or the Manager. The settings above will override the sourcetype and destination index as the file is indexed. Not sure what happens if the index doesn't exist - it will probably throw an indexing error but it might revert back to the default index.

0 Karma
Reply
Solved! Jump to solution

hiddenkirby
Contributor
‎09-10-2010 01:37 PM

and no inputs.conf at all?

Reply
Solved! Jump to solution

hiddenkirby
Contributor
‎09-10-2010 01:36 PM

That is cool. What happens if the index doesnt exist yet?

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top