Knowledge Management

Do I Need an Event Type For This?

Explorer

I'm trying to figure out the best architecture for what I'm trying to do. My base question is whether I need an event type for this, but let’s start with the data I'll be indexing.

I have a small 5 line text file I need to index.

Requirement 1: Index the file anytime it changes
Requirement 2: Index the entire contents of the file as an event. If you are familiar with windows events, all of the data including hostname, network address are indexed under one event. I'd like this to be in the same format. Do I need to setup an event type for this?
Requirement 3: Extract fields from this data so that they are easily accessible

This is what the file looks like:
[Fri Feb 22 11:54:51 2013] Serial Number: <333-333-222/12000000>
[Fri Feb 22 11:54:51 2013] Model Type:
[Fri Feb 22 11:54:51 2013] O/S:

Here is what I think I should do:

Requirement 1: setup a monitor: directive on the forwarder to forward the file
Requirement 2: setup an event type so that the entire file is indexed at one event
Requirement 3: Can I setup a field extraction through transforms.conf?

Tags (2)
0 Karma

Legend

You don't need an eventtype - I think you misunderstand the definition of eventtype in Splunk.

I think you need is a sourcetype. Sourcetypes are usually the basis for defining how a source breaks into events, how to extract the fields, etc.

In your monitor stanza, assign the new sourcetype name to the input (in inputs.conf).

In props.conf, you can set the rules for how you want timestamp and line-breaking to be handled for this sourcetype. You can also specify field extractions in props.conf, or you can use a combination of props.conf and transforms.conf. As simple as your file looks, I would probably just do it in props.conf.

Look at the Getting Data In manual for help with timestamping and line-breaking. This is the most important part, because you can always edit field extractions after the data has been indexed. But if the breaks between events or the timestamp is wrong, it can't be changed once it is indexed!

Splunk Employee
Splunk Employee
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!