Knowledge Management

How to Identify sourcetypes by logs

MadhuS1
Explorer

Hi

Is there any way that we could easily identify the sourcetypes for different logs?
Is there any place where i can all list of sourcetypes with sample logs in splunk? or anything which helps me to decide the sourcetype?

I have a situation where in for an index and a sourcetype, i have different types of logs and i am pretty sure that they are from the same sourcetype.

Thanks

Tags (1)
0 Karma

skoelpin
SplunkTrust
SplunkTrust

You should use the punct field for this. The punct field looks at the punctuation in your logs so you can easily tell the difference between different logging formats. So as an example, if you wanted to see the relationship between how many different sourcetypes share a common logging format, you would do something like this.. You would probably need to chop off anything after 5 characters

index=... 
| stats values(sourcetype) AS sourcetype by punct 
0 Karma

skoelpin
SplunkTrust
SplunkTrust

Did this work for you?

0 Karma

lloydknight
Builder

Also, check this link for the list of pretrained sourcetypes in case your sourcetypes are already in splunk.

MadhuS1
Explorer

This is good. Thank you...

0 Karma

tiagofbmm
Influencer

You could start by getting a sample of each log and use Splunk's automatic sourcetype detection by adding those samples to Splunk

MadhuS1
Explorer

Thanks for the reply.

Did you mean index those logs using add data menu, then splunk detects the sourcetype automatically?
What if the sourcetypes doesn't exist under my splunk instance? Could you please give some more points and correct me if i am wrong? Thanks...

0 Karma

tiagofbmm
Influencer

Yes using add data was my suggestion as you know splunk has that feature built in.

In case the sourcetype does not exist in the environment, then what I always do when I have a new kind of log is go to SplunkBase and search for the technology I'm looking for. Most of the parsing packages are really good and there is no point on re-inventing the wheel.

Give SplunkBase a shot too

0 Karma

MadhuS1
Explorer

I will try that, Thank you very much 🙂

0 Karma

tiagofbmm
Influencer

Alright let me know what you found (or did not find).

If the answer has been useful for you, upvote or accept it for future reference

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...