Splunk Enterprise

how can I save custom sourcetype

daddyoh
Explorer

I am ingesting a log file via a forwarder into splunk light 6.4. This log file was initially specified as a psv (pipe separated value) sourcetype. I then extracted the fields using the "Extract New Fields" functionality. When I was done it did not ask me to save this as a new sourcetype. The extracted fields are showing up as custom field names like expected.

I want to save this sourcetype with a new name and use it with other log files. How can I do that?

Thanks

0 Karma

daddyoh
Explorer

The problem is that the standard sourcetype psv is not the custom one but the custom field extractions are showing up with that log file. I have other log files that use that exact format and sourcetype but the extracted fields are not showing up. I also have log files that use pipes and are ingested with psv as the sourcetype that should not use the extracted field names.

So I think I need to capture the customization for the correct file and then apply that via the inputs.conf file to the ones with the same format.

So my original question is still what I need answered. How do I save this customization with a new name, not as a psv. Sorry if that was not clear for the first message I wrote.

0 Karma

sundareshr
Legend
0 Karma

skoelpin
SplunkTrust
SplunkTrust

You need to specify the sourcetype on the forwarder in inputs.conf. The field is relative to the sourcetype

So if you have 1 remote server, you will need to go and specify the sourcetype before the data is indexed. Once it's indexed you can then create your field extraction which is relative to that sourcetype

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!