Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Do I Need an Event Type For This?

barne_dn
Explorer
‎02-25-2013 11:07 AM

I'm trying to figure out the best architecture for what I'm trying to do. My base question is whether I need an event type for this, but let’s start with the data I'll be indexing.

I have a small 5 line text file I need to index.

Requirement 1: Index the file anytime it changes
Requirement 2: Index the entire contents of the file as an event. If you are familiar with windows events, all of the data including hostname, network address are indexed under one event. I'd like this to be in the same format. Do I need to setup an event type for this?
Requirement 3: Extract fields from this data so that they are easily accessible

This is what the file looks like:
[Fri Feb 22 11:54:51 2013] Serial Number: <333-333-222/12000000>
[Fri Feb 22 11:54:51 2013] Model Type:
[Fri Feb 22 11:54:51 2013] O/S:

Here is what I think I should do:

Requirement 1: setup a monitor: directive on the forwarder to forward the file
Requirement 2: setup an event type so that the entire file is indexed at one event
Requirement 3: Can I setup a field extraction through transforms.conf?

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎02-25-2013 11:16 AM

You don't need an eventtype - I think you misunderstand the definition of eventtype in Splunk.

I think you need is a sourcetype. Sourcetypes are usually the basis for defining how a source breaks into events, how to extract the fields, etc.

In your monitor stanza, assign the new sourcetype name to the input (in inputs.conf).

In props.conf, you can set the rules for how you want timestamp and line-breaking to be handled for this sourcetype. You can also specify field extractions in props.conf, or you can use a combination of props.conf and transforms.conf. As simple as your file looks, I would probably just do it in props.conf.

Look at the Getting Data In manual for help with timestamping and line-breaking. This is the most important part, because you can always edit field extractions after the data has been indexed. But if the breaks between events or the timestamp is wrong, it can't be changed once it is indexed!

Reply

sdaniels
Splunk Employee
Splunk Employee
‎02-25-2013 11:12 AM

You'll want to start here

http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Monitorchangestoyourfilesystem

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...