Splunk Search

Cross reference sourcetype in a lookup table

kmattern
Builder

I have a large number of Mid-Tier systems. Each one is associated with a specific set of IIS logs. Unfortunately the logs all have the same name. They are, however, stored in different folder structures based on the Mid-Tier name. All on the same Top Tier machine.

What I need to do is to be able to differentiate between all these log files based on the Mid-Tier name. Ideally what I would like to do is assign a specific sourcetype to each Mid-Tier and then use a lookup table to get the sourcetype by searching for the specific Mid-Tier. Then pass the sourcetype to a search so that data related to that specific Mid-Tier is returned from the correct set of logs, based on the sourcetype.

Is this even possible?

Tags (2)
0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

The "source" field contains the filename of the log that got indexed. I've set up a field extraction, based on the source field, to identify a part of the directory path to indicate the "type" of web instance I was looking at. Then, you can use it as a search parameter.

You could also use a lookup on the sourcetype as you've indicated. However, doing so means that you're maintaining a list of several sourcetypes, even though the data has the same shape (and would therefore typically be the same sourcetype). If I'm mistaken about that, and you do genuinely have different sourcetypes, then by all means, key this Mid-Tier field from the sourcetype.

View solution in original post

0 Karma

sowings
Splunk Employee
Splunk Employee

The "source" field contains the filename of the log that got indexed. I've set up a field extraction, based on the source field, to identify a part of the directory path to indicate the "type" of web instance I was looking at. Then, you can use it as a search parameter.

You could also use a lookup on the sourcetype as you've indicated. However, doing so means that you're maintaining a list of several sourcetypes, even though the data has the same shape (and would therefore typically be the same sourcetype). If I'm mistaken about that, and you do genuinely have different sourcetypes, then by all means, key this Mid-Tier field from the sourcetype.

0 Karma

kmattern
Builder

Of course! I was totally blind to the source itself. The Mid-Tier name is embedded in teh source path. I can pull the Mid-Tier name form the path and dispense with different sourcetypes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...