Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Do I Need an Event Type For This?

barne_dn
Explorer
‎02-25-2013 11:07 AM

I'm trying to figure out the best architecture for what I'm trying to do. My base question is whether I need an event type for this, but let’s start with the data I'll be indexing.

I have a small 5 line text file I need to index.

Requirement 1: Index the file anytime it changes
Requirement 2: Index the entire contents of the file as an event. If you are familiar with windows events, all of the data including hostname, network address are indexed under one event. I'd like this to be in the same format. Do I need to setup an event type for this?
Requirement 3: Extract fields from this data so that they are easily accessible

This is what the file looks like:
[Fri Feb 22 11:54:51 2013] Serial Number: <333-333-222/12000000>
[Fri Feb 22 11:54:51 2013] Model Type:
[Fri Feb 22 11:54:51 2013] O/S:

Here is what I think I should do:

Requirement 1: setup a monitor: directive on the forwarder to forward the file
Requirement 2: setup an event type so that the entire file is indexed at one event
Requirement 3: Can I setup a field extraction through transforms.conf?

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎02-25-2013 11:16 AM

You don't need an eventtype - I think you misunderstand the definition of eventtype in Splunk.

I think you need is a sourcetype. Sourcetypes are usually the basis for defining how a source breaks into events, how to extract the fields, etc.

In your monitor stanza, assign the new sourcetype name to the input (in inputs.conf).

In props.conf, you can set the rules for how you want timestamp and line-breaking to be handled for this sourcetype. You can also specify field extractions in props.conf, or you can use a combination of props.conf and transforms.conf. As simple as your file looks, I would probably just do it in props.conf.

Look at the Getting Data In manual for help with timestamping and line-breaking. This is the most important part, because you can always edit field extractions after the data has been indexed. But if the breaks between events or the timestamp is wrong, it can't be changed once it is indexed!

Reply

sdaniels
Splunk Employee
Splunk Employee
‎02-25-2013 11:12 AM

You'll want to start here

http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Monitorchangestoyourfilesystem

0 Karma
Reply
Get Updates on the Splunk Community!

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...