Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Do I Need an Event Type For This?

barne_dn
Explorer
‎02-25-2013 11:07 AM

I'm trying to figure out the best architecture for what I'm trying to do. My base question is whether I need an event type for this, but let’s start with the data I'll be indexing.

I have a small 5 line text file I need to index.

Requirement 1: Index the file anytime it changes
Requirement 2: Index the entire contents of the file as an event. If you are familiar with windows events, all of the data including hostname, network address are indexed under one event. I'd like this to be in the same format. Do I need to setup an event type for this?
Requirement 3: Extract fields from this data so that they are easily accessible

This is what the file looks like:
[Fri Feb 22 11:54:51 2013] Serial Number: <333-333-222/12000000>
[Fri Feb 22 11:54:51 2013] Model Type:
[Fri Feb 22 11:54:51 2013] O/S:

Here is what I think I should do:

Requirement 1: setup a monitor: directive on the forwarder to forward the file
Requirement 2: setup an event type so that the entire file is indexed at one event
Requirement 3: Can I setup a field extraction through transforms.conf?

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎02-25-2013 11:16 AM

You don't need an eventtype - I think you misunderstand the definition of eventtype in Splunk.

I think you need is a sourcetype. Sourcetypes are usually the basis for defining how a source breaks into events, how to extract the fields, etc.

In your monitor stanza, assign the new sourcetype name to the input (in inputs.conf).

In props.conf, you can set the rules for how you want timestamp and line-breaking to be handled for this sourcetype. You can also specify field extractions in props.conf, or you can use a combination of props.conf and transforms.conf. As simple as your file looks, I would probably just do it in props.conf.

Look at the Getting Data In manual for help with timestamping and line-breaking. This is the most important part, because you can always edit field extractions after the data has been indexed. But if the breaks between events or the timestamp is wrong, it can't be changed once it is indexed!

Reply

sdaniels
Splunk Employee
Splunk Employee
‎02-25-2013 11:12 AM

You'll want to start here

http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Monitorchangestoyourfilesystem

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...