- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs.conf - configure "source"
Hi all,
i have a monitor stanza in inputs.conf that monitor our organization proxy,
the logs are sent by syslog-ng
i have only one stanza that monitor 4 diff sources IP's from that proxy.
i want to configure diff "source" to each source ip's without seeing in the value (under the source field) the name of the log.
lets say the monitor path is (in the deployment server):
$SPLUNK_HOME/syslog/proxy/*/*.log
in the source field i will see:
$SPLUNK_HOME/syslog/proxy/<proxy_source_a|b|c|d>/<proxy_date_and_time>.log
i want the source to stop at proxy_source_a|b|c|d, example:
$SPLUNK_HOME/syslog/proxy/<proxy_source_a|b|c|d>/
is that possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
You can rewrite any metadata field including source, sourcetype and host using transforms.
But, to be honest, I don't understand why you would want to lose information (the actual source file). You can always extract that info in search time if you want just the directory.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll probably make a meta field as you suggested,
I didn't wanted to do it at the start but it seems the only way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
No, wait.
source _is_ a metadata field already. You can use transforms to either cut it as you initially planned or to extract data from it to another indexed field. You can also use EXTRACT or REPORT to extract the field in search time.
There are many possibilities here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i tried transforms and props yesterday and it didnt work,
but what is "EXTRACT or REPORT" you mention.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
1. What _exactly_ did you try? And how it 'doesn't work'?
2. EXTRACT and REPORT are two settings which can be used for search-time extractions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98452
Here are 2 links demonstrating different use cases to replace source values with something for their particular use. Leveraging rex you can replace your source with the value and match you require. The process is the same even if the rex is different.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tried those 2 option already with no good results.
thank you.
data:image/s3,"s3://crabby-images/2f34b/2f34b8387157c32fbd6848ab5b6e4c62160b6f87" alt=""