Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Different type of parcing in a single index

ethanthomas
Explorer
‎04-15-2021 09:34 PM

The requirement is, there is a single index . Data in three different format and there is an InputType coming in the raw data to identify . Below is just an exmaple 

InputType="mBP" |name|employee id|username|address|designation | manager name

InputType="eMQ" |designation|years of emp|office location|department 

InputType="qCP" |department| department head| employee count | designations 

The data format is different in these cases . So the question is , it is posisble to have different parcing based on the InputType ? What is the solution for this ? Do i need to create new 3 indexes ? or wth in same index , how the 3 different parcing can be done ? what are the conf file changes required? Help is appreciated with different  possible solutions on this . 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ethanthomas
Explorer
‎04-19-2021 03:25 PM

I have changed the props and transforms file to assin the source type as InputType . But still the source type coming is the one value defined in the input .conf file . Any issues ?

0 Karma
Reply

manjunathmeti
Champion
‎04-19-2021 11:45 PM

Post .conf files and sample data.

0 Karma
Reply

manjunathmeti
Champion
‎04-15-2021 10:00 PM

hi @ethanthomas,

You can index the data in three separate source types per InputType in a single index. If you have separate input monitors for each InputType raw data then you can specify sourcetype in the monitor stanza in inputs.conf.

[monitor:///path/to/fileInputType1]
index=index
sourcetype=sourcetype1

[monitor:///path/to/fileInputType2]
index=index
sourcetype=sourcetype2

 But if the raw data is coming in the same file then you can use props.conf and transforms.conf to route data to particular source type based InputType values.

Check this page: https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Advancedsourcetypeoverrides

 

If this reply helps you, a like would be appreciated.
 

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...