Knowledge Management

Is there a way to tag a Splunk source ?

xindeNokia
Path Finder

Issue:
On the same box, we run different tests. But the results generated by those tests have the same name. Results need to be forwarded to Splunk indexer. Is there a way to tag those "same name" files ( with those test names etc) for Splunk so we can identify a different result?

EG:

Test A -> C
Test B -> C

Somehow, can we tag C with A and B or something unique to query them separately on Splunk? Source type has already been used in this case.

Any help is appreciated!!

Tags (2)
0 Karma

FrankVl
Ultra Champion

Given that it's just the time that's differentiating, I guess you need to look at writing some props and transforms to override one of the standard metadata fields, or set additional custom metadata fields. Or if you don't need it available as indexed metadata fields, you could just calculate a search time field based on the time.

If you want detailed help with that, it would help if you share some sample data and the criteria on how to determine the type.

0 Karma

xindeNokia
Path Finder

Thank you for your the reply FrankVI!

the interesting part is we are trying to get the results history based on the test we run but the type of test are executed randomly, for example:

time 1 on A ->C
time 2 on B ->C
time 3 on D->C
time 4 on A->C
....

and we would like to group C that generated by A in some way...

C are exactly the same - location, file name (source, sourcetype, index) are all the same and splunk does not know A/B/D...

0 Karma

FrankVl
Ultra Champion

So is there anything inside the events that allows you to distinguish which is which?

0 Karma

xindeNokia
Path Finder

nope.... hmm. maybe I should change entire setups here so the source will be different...

I was thinking, if we can change some splunk config files on the forwarder everytime we before run a test to enable a tag or something. then we can reference it in our test in the query..

0 Karma

FrankVl
Ultra Champion

Oh, you trigger those tests manually?

What you could do, is create 3 splunk inputs.

/foo/bar/A/test.log
/foo/bar/B/test.log
/foo/bar/C/test.log

And before you run test type X, you create a symbolic link from /foo/bar/X/test.log to the actual location of the log.

That way the type will show up in the source value (since that contains the full file path.

After running the test, you remove the symlink again and then next time you create again the relevant symlink before running the test.

But maybe it would just be a lot easier if you could somehow change your test setup to write different test types to separate folders or files. Prevents a lot of hassle and confusion.

0 Karma

FrankVl
Ultra Champion

How are those “same name” files separated on the source system? Different folders?

0 Karma

xindeNokia
Path Finder

locations are the same. so source / sourcttype are all the same at this moment. only the time they got generated is different.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!