Hello,
one of our application has the following log structure
#Fields: Date ; Time ; Site Instance ; Event ; Client IP ; Username ; Host header ; Additional info about request (event specific)
how can i add it as sourcetype to splunk ?
Thanks
Add below code to your transforms.conf -
[mytestsourcetype]
DELIMS = ";"
FIELDS = "Date", "Time", "Site Instance"....
You add it as an input. One of the configuration options is to set the sourcetype.
http://www.splunk.com/base/Documentation/6.2.4/Admin/Inputsconf?r=splunky
[monitor:///myfile/....]
sourcetype = my_sourcetype
After you have it in Splunk, you can create the extractions for it to pull the interesting fields.
Hey
already got the logs on splunk by using :
[monitor://D:\LogFiles\ApplicationLogs\logtest_*]
disabled = 0
recursive = true
index = logtest
sourcetype = mytestsourcerype
BUT, i cant filter by fields , splunk doesnt recognize the logs with the fields
So know you need to setup Field Extractions. Check this out in the manual: http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/ExtractfieldsinteractivelywithIFX There are few different ways to extract the data, but this will get you started.