Splunk Search

Apply Field Extraction to similar sourcetypes but named slightly differant

New Member

Hi,

I need to apply field extractions across multiply files. They are the same type files but slighly labled differantly such as: messeges, messeges-1, messeges-2, messeges-3,....messeges-13, etc.... Currently I have to apply the same field extractions to each one and its creating lots of work. I dont see any options in Splunk to apply to multiple sourcetypes. I tried reading post with similar issues but all seem to have differant solutions and left me really confused. If you have a rock solid solution please let me know. Thank you a head of time.

Jason

0 Karma

Splunk Employee
Splunk Employee

Hi @jason_perkins,

You will want to check out the ability to apply sourcetyping based on the “source”. This allows regex to be used to apply one sourcetype to many files without having to set it explicitly in many inputs, or to create duplicate sourcetypes:

[]
* This stanza enables properties for a given .

 can be:
1. , the source type of an event.
2. host::, where  is the host, or host-matching pattern, for an event.
3. source::, where  is the source, or source-matching pattern, for an event.
4. rule::, where  is a unique name of a source type classification rule.
5. delayedrule::, where  is a unique name of a delayed source type
   classification rule.
These are only considered as a last resort before generating a new source type based on the
source seen.

https://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Take a look at the props.conf.spec file and note the precendece rules.

**[] stanza precedence:**

For settings that are specified in multiple categories of matching []
stanzas, [host::] settings override [] settings.
Additionally, [source::] settings override both [host::]
and [] settings.
0 Karma