Hello. I new to regex and have been trying to understand how it works.
Let say i have a log containing strings of information. I am to index it to splunk and assign a sourcetype to it via props.conf and transform.conf. Am i suppose to use regex to match a string, and if match, proceed to assign sourcetype?
1- Example, log contents as following:
"This log belong to ABC"
2 - In transforms.conf:
[assign_sourcetype]
DEST_KEY = MetaData:Sourcetype
REGEX = (ABC|ABC)
FORMAT = sourcetype::ABC
Anyway, the above regex does not work. Any help much appreciated.
Do NOT do it this way. I've seen many environments where they create sourcetypes willy-nilly and wonder why it takes forever to onboard data. Every time you create a unique sourcetype, you need to write base configs which tell the indexers how to break the events and how to read the timestamp. The best approach is to use the least amount of sourcetypes and have a standard sourcetype for each data format. Then use eventtypes to differentiate between apps and environments like you were with sourcetypes
Please find the regex " (?ms).to(?.)" for the example you provided "This log belong to ABC"
similarly you have to proceed using the online tool https://regex101.com/
any update? is this helpful?
Hi,
You specify the sourcetype at input time(it will be more efficient) in inputs.conf..
So you would have your monitor stanza [monitor this file] under that you put sourcetype = mysourcetype.
There is no need for regex unless you are trying to extract multiple sourcetypes from a single log or something like that
Hi linwqg,
if you're new to regex, you could follow two ways:
Anyway, I'm not sure that you can assign a sourcetype using a regex, because sourcetype is a field that identify a data flow and all the following knowledge objects (fields, eventtypes, ...) are related to sourcetype, so if you have dynamic sourcetype,s how your knowledge Objects can follow sourcetypes?
Bye.
Giuseppe