Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

inputs.conf - configure "source"

Gil
Explorer
‎09-23-2024 06:01 AM

Hi all,

i have a monitor stanza in inputs.conf  that monitor our organization proxy,

the logs are sent by syslog-ng

i have only one stanza that monitor 4 diff sources IP's from that proxy.

i want to configure diff "source" to each source ip's without seeing in the value (under the source field) the name of the log.
lets say the monitor path is (in the deployment server):
$SPLUNK_HOME/syslog/proxy/*/*.log

in the source field i will see:
$SPLUNK_HOME/syslog/proxy/<proxy_source_a|b|c|d>/<proxy_date_and_time>.log

i want the source to stop at proxy_source_a|b|c|d, example:
$SPLUNK_HOME/syslog/proxy/<proxy_source_a|b|c|d>/

is that possible?

 

Labels (5)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-23-2024 10:47 AM

You can rewrite any metadata field including source, sourcetype and host using transforms.

But, to be honest, I don't understand why you would want to lose information (the actual source file). You can always extract that info in search time if you want just the directory.

Reply

Gil
Explorer
‎09-23-2024 10:46 PM

I'll probably make a meta field as you suggested,

I didn't  wanted to do it at the start but it seems the only way.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-28-2024 08:32 AM
What is your current reason why you are trying this and what is your original issue which you are solving?
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-24-2024 12:33 AM

No, wait.

source _is_ a metadata field already. You can use transforms to either cut it as you initially planned or to extract data from it to another indexed field. You can also use EXTRACT or REPORT to extract the field in search time.

There are many possibilities here.

0 Karma
Reply

Gil
Explorer
‎09-24-2024 02:30 AM

i tried transforms and props yesterday and it didnt work,

but what is "EXTRACT or REPORT" you mention.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-24-2024 02:57 AM

1. What _exactly_ did you try? And how it 'doesn't work'?

2. EXTRACT and REPORT are two settings which can be used for search-time extractions.

0 Karma
Reply

dural_yyz
Motivator
‎09-23-2024 07:20 AM

https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/1...

https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98452

Here are 2 links demonstrating different use cases to replace source values with something for their particular use.  Leveraging rex you can replace your source with the value and match you require.  The process is the same even if the rex is different.

0 Karma
Reply

Gil
Explorer
‎09-23-2024 07:54 AM

tried those 2 option already with no good results.

thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top