Getting Data In

inputs.conf - configure "source"

Gil
Explorer

Hi all,

i have a monitor stanza in inputs.conf  that monitor our organization proxy,

the logs are sent by syslog-ng

i have only one stanza that monitor 4 diff sources IP's from that proxy.

i want to configure diff "source" to each source ip's without seeing in the value (under the source field) the name of the log.
lets say the monitor path is (in the deployment server):
$SPLUNK_HOME/syslog/proxy/*/*.log

in the source field i will see:
$SPLUNK_HOME/syslog/proxy/<proxy_source_a|b|c|d>/<proxy_date_and_time>.log

i want the source to stop at proxy_source_a|b|c|d, example:
$SPLUNK_HOME/syslog/proxy/<proxy_source_a|b|c|d>/

is that possible?

 

Labels (5)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You can rewrite any metadata field including source, sourcetype and host using transforms.

But, to be honest, I don't understand why you would want to lose information (the actual source file). You can always extract that info in search time if you want just the directory.

Gil
Explorer

I'll probably make a meta field as you suggested,

I didn't  wanted to do it at the start but it seems the only way.

0 Karma

isoutamo
SplunkTrust
SplunkTrust
What is your current reason why you are trying this and what is your original issue which you are solving?
0 Karma

PickleRick
SplunkTrust
SplunkTrust

No, wait.

source _is_ a metadata field already. You can use transforms to either cut it as you initially planned or to extract data from it to another indexed field. You can also use EXTRACT or REPORT to extract the field in search time.

There are many possibilities here.

0 Karma

Gil
Explorer

i tried transforms and props yesterday and it didnt work,

but what is "EXTRACT or REPORT" you mention.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. What _exactly_ did you try? And how it 'doesn't work'?

2. EXTRACT and REPORT are two settings which can be used for search-time extractions.

0 Karma

dural_yyz
Motivator

https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/1...

https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98452

Here are 2 links demonstrating different use cases to replace source values with something for their particular use.  Leveraging rex you can replace your source with the value and match you require.  The process is the same even if the rex is different.

0 Karma

Gil
Explorer

tried those 2 option already with no good results.

thank you.

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...