Solved: how can we upload same logs under two different so...

AKG1_old1 · ‎03-10-2019

Hi,

Our requirement is to upload same logs with two different sourcetype. I have observed that in one inputs.conf we can't specify exact same path/location of logs twice, so I have created 2 different inputs.conf in same forwarder.

1st inputs.conf : /splunkforwarder/etc/apps/splunk_forwarder1/local/inputs.conf
    [batch:///net/hp737srv/hp737srv/apps/SPLUNK_FILES/*/Resources/.../*]
    disabled = false
    index = mlc_log_drop
    whitelist = .*.gc.*.log$|gc_.*\.log$|GC_.*\.log$
    host_segment = 6
    crcSalt = <SOURCE>
    sourcetype = sun_jvm


2nd inputs.conf : /splunkforwarder/etc/apps/splunk_forwarder2/local/inputs.conf

    [batch:///net/hp737srv/hp737srv/apps/SPLUNK_FILES/*/Resources/.../*]
    disabled = false
    index = mlc_log_drop
    whitelist = .*.gc.*.log$|gc_.*\.log$|GC_.*\.log$
    host_segment = 6
    crcSalt = <SOURCE>
    sourcetype = G1

but its uploading only for 1 source type.

Thanks

woodcock · ‎03-10-2019

The CLONE_SOURCETYPE exists for exactly this reason:

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#CLONE_SOURCETYPE

View solution in original post

woodcock · ‎03-10-2019

The CLONE_SOURCETYPE exists for exactly this reason:

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#CLONE_SOURCETYPE

niketn · ‎03-10-2019

@woodcock as always, I learnt something from you 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

woodcock · ‎03-10-2019

I wish that I could actually learn from you but I am CLUELESS about JS so I just have all of your I will need this sometime in the future stuff bookmarked!

AKG1_old1 · ‎03-13-2019

@woodcock @niketnilay : thanks guys for help.

As of now we are using 2 different forwarder for these sourcetype and changed "batch" to "monitor". Its working fine. but in future we will try CLONE_SOURCETYPE option to avoid uploading twice. Thanks Again 🙂

niketn · ‎03-10-2019

@agoyal would it be possible for you to explain the reason for same data to be replicated to two different sourcetypes? It would cost double licence and duplicate data.

Option 1: Heavy Forwarder or Indexer to route data to different sourcetypes (data can be moved to two sourcetypes as well)

https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides#Example:_Assign...

Option 2: collect command to move data (will not cost license volume if sourcetype=stash is used.)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

AKG1_old1 · ‎03-10-2019

@niketnilay : Thanks for reply. I think only heavy forwarder will work in my case.

There are multiple reason for uploading data twice. These are GC logs and we use to get these logs based on different algorithms ( conventional GC and new G1). There is no easy way to differenciate between these logs types. File names are same as well.
These logs are totally different and we can complex props.conf for both of them coz we are extracting many fields from these logs. Second, In one sourcetype we are breaking events line by line and in other sourcetype we break mulitline events. so don't think we can use collection option here.

I think I should try Heavy forwarder. these GC logs are very less (around 1%) so we are not overly worried about licence usage.

niketn · ‎03-10-2019

@agoyal, If data format is different for two methods GC and G1, then you can use the pattern in data to route to different sourcetypes.

Also, if the events are different, how about you add different tags to different version of GC log? This would be search time though!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

skoelpin · ‎03-10-2019

Why would you want to do this? Makes zero sense.. Your paying a double license cost and making it much harder to manage when you scale. Perhaps you should tag your events rather than using 2 different sourcetypes

AKG1_old1 · ‎03-10-2019

@skoelpin : these are GC logs and logs can be based on different algorithm. Identify algorithm using props.conf is difficult as these are multiline complex structured. So I am looking to upload twice.
It will be much easier to manage for us and its less that 2% of total logs so don't care about licence.

skoelpin · ‎03-10-2019

What happens when you scale though? I'm sure the business cares about that extra thousands of dollars lost due to inefficiency. It sounds like your filtering logs based off their sourcetype. If true, time to craft a plan and reverse course on this process. It will only hurt you in the long run doing it this way.

A better solution would be to explicitly monitor the GC folder and use tags in the inputs.conf and filter off the tags. You can do this by adding _meta = action::GC and going to your fields.conf on the indexer(s) and search head(s) and setting

[action]
 INDEXED = true

This will then allow you to search on a single standard sourcetype for the same formatted logs and filter off the tag

AKG1_old1 · ‎03-10-2019

@skoelpin : I am not sure how tagging works. Logs filename and directory locations are exact same.

2nd thing is for one type of logs we break events on each line and other type of logs we extract multiline events. So not sure if it will work in my case.

how can we upload same logs under two different sourcetype ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life