Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

inputs.conf - Can we declare multiple sourcetypes depending upon where the origin of the logs is?

paulgo
Explorer
‎12-16-2022 07:29 AM

We're sending logs to SplunkCloud over port 514 using the following stanza in inputs.conf

 

[udp://514]
index=syslog
disabled=false
sourcetype=syslog

 

This works great, however we are now sending more than one type of log this way.  Can we declare multiple sourcetypes depending upon where the origin of the logs is?  For example: if they are from IP address A give it the "firewall" sourcetype and from IP address B give it the "crontab" sourcetype?

 

 

Labels (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-16-2022 07:55 AM

Hi @paulgo,

in general it's a best practice to use one or (better) two Heavy Forwarders (with a Load Balancer)  on premise to ingest the syslogs and then they send the logs to splunk Cloud, so you can configure the syslog receiving as I'll describe below, otherwise, as @richgalloway said, it isn't possible because you need to access the conf files and this isn't possible in Splunk Cloud.

Anyway, on premise, you can create in inputs.conf a dedicated stanza for each ip address choosing a dufferent sourcetype for each but it must be unique.

the only problem is that you must do this only via conf file and not via GUI because Splunk finds the 514 port already used, so you have to create in inputs.conf something like this:

 

[tcp://10.10.10.10:514]
sourcetype = sourcetype1
connection_host = ip

[tcp://10.10.10.11:514]
sourcetype = sourcetype2
connection_host = ip

[tcp://10.10.10.12:514]
sourcetype = sourcetype3
connection_host = ip

 

and restart Splunk on this server.

Otherwise, you have to override the sourcetype value following the instructions at https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/Advancedsourcetypeoverrides#:~:text=You%20ca....

Ciao.

Giuseppe

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-16-2022 07:45 AM

Splunk cannot do that and it is one of the reasons why Best Practice is to send syslog data to a dedicated syslog server (syslog-ng or rsyslog, for example).  The syslog server writes the events to disk files which are monitored by a Universal Forwarder.

Another option is to run the Splunk Connect for Syslog (SC4S) app.  SC4S is a container that runs a configured syslog-ng process that forwards events to Splunk via HEC.  See https://splunkbase.splunk.com/app/4740

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...