configure sourcetype to an application

abovebeyond · ‎07-20-2015

Hello,

one of our application has the following log structure

#Fields: Date ; Time ; Site Instance ; Event ; Client IP ; Username ; Host header ; Additional info about request (event specific)

how can i add it as sourcetype to splunk ?

Thanks

dineshraj · ‎07-21-2015

Add below code to your transforms.conf -

[mytestsourcetype]
DELIMS = ";"
FIELDS = "Date", "Time", "Site Instance"....

alacercogitatus · ‎07-20-2015

You add it as an input. One of the configuration options is to set the sourcetype.

[monitor:///myfile/....]
sourcetype = my_sourcetype

After you have it in Splunk, you can create the extractions for it to pull the interesting fields.

abovebeyond · ‎07-20-2015

Hey

already got the logs on splunk by using :

[monitor://D:\LogFiles\ApplicationLogs\logtest_*]
disabled = 0
recursive = true
index = logtest
sourcetype = mytestsourcerype

BUT, i cant filter by fields , splunk doesnt recognize the logs with the fields

alacercogitatus · ‎07-21-2015

So know you need to setup Field Extractions. Check this out in the manual: http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/ExtractfieldsinteractivelywithIFX There are few different ways to extract the data, but this will get you started.