Hi
Is there any way that we could easily identify the sourcetypes for different logs?
Is there any place where i can all list of sourcetypes with sample logs in splunk? or anything which helps me to decide the sourcetype?
I have a situation where in for an index and a sourcetype, i have different types of logs and i am pretty sure that they are from the same sourcetype.
Thanks
You should use the punct
field for this. The punct
field looks at the punctuation in your logs so you can easily tell the difference between different logging formats. So as an example, if you wanted to see the relationship between how many different sourcetypes share a common logging format, you would do something like this.. You would probably need to chop off anything after 5 characters
index=...
| stats values(sourcetype) AS sourcetype by punct
Did this work for you?
Also, check this link for the list of pretrained sourcetypes in case your sourcetypes are already in splunk.
This is good. Thank you...
You could start by getting a sample of each log and use Splunk's automatic sourcetype detection by adding those samples to Splunk
Thanks for the reply.
Did you mean index those logs using add data menu, then splunk detects the sourcetype automatically?
What if the sourcetypes doesn't exist under my splunk instance? Could you please give some more points and correct me if i am wrong? Thanks...
Yes using add data was my suggestion as you know splunk has that feature built in.
In case the sourcetype does not exist in the environment, then what I always do when I have a new kind of log is go to SplunkBase and search for the technology I'm looking for. Most of the parsing packages are really good and there is no point on re-inventing the wheel.
Give SplunkBase a shot too
I will try that, Thank you very much 🙂
Alright let me know what you found (or did not find).
If the answer has been useful for you, upvote or accept it for future reference