Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cross reference sourcetype in a lookup table

kmattern
Builder
‎08-01-2013 08:38 AM

I have a large number of Mid-Tier systems. Each one is associated with a specific set of IIS logs. Unfortunately the logs all have the same name. They are, however, stored in different folder structures based on the Mid-Tier name. All on the same Top Tier machine.

What I need to do is to be able to differentiate between all these log files based on the Mid-Tier name. Ideally what I would like to do is assign a specific sourcetype to each Mid-Tier and then use a lookup table to get the sourcetype by searching for the specific Mid-Tier. Then pass the sourcetype to a search so that data related to that specific Mid-Tier is returned from the correct set of logs, based on the sourcetype.

Is this even possible?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎08-01-2013 11:00 AM

The "source" field contains the filename of the log that got indexed. I've set up a field extraction, based on the source field, to identify a part of the directory path to indicate the "type" of web instance I was looking at. Then, you can use it as a search parameter.

You could also use a lookup on the sourcetype as you've indicated. However, doing so means that you're maintaining a list of several sourcetypes, even though the data has the same shape (and would therefore typically be the same sourcetype). If I'm mistaken about that, and you do genuinely have different sourcetypes, then by all means, key this Mid-Tier field from the sourcetype.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎08-01-2013 11:00 AM

The "source" field contains the filename of the log that got indexed. I've set up a field extraction, based on the source field, to identify a part of the directory path to indicate the "type" of web instance I was looking at. Then, you can use it as a search parameter.

You could also use a lookup on the sourcetype as you've indicated. However, doing so means that you're maintaining a list of several sourcetypes, even though the data has the same shape (and would therefore typically be the same sourcetype). If I'm mistaken about that, and you do genuinely have different sourcetypes, then by all means, key this Mid-Tier field from the sourcetype.

0 Karma
Reply
Solved! Jump to solution

kmattern
Builder
‎08-01-2013 11:12 AM

Of course! I was totally blind to the source itself. The Mid-Tier name is embedded in teh source path. I can pull the Mid-Tier name form the path and dispense with different sourcetypes.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...