Re: Different type of parcing in a single index

ethanthomas · ‎04-15-2021

The requirement is, there is a single index . Data in three different format and there is an InputType coming in the raw data to identify . Below is just an exmaple

InputType="eMQ" |designation|years of emp|office location|department

InputType="qCP" |department| department head| employee count | designations

The data format is different in these cases . So the question is , it is posisble to have different parcing based on the InputType ? What is the solution for this ? Do i need to create new 3 indexes ? or wth in same index , how the 3 different parcing can be done ? what are the conf file changes required? Help is appreciated with different possible solutions on this .

ethanthomas · ‎04-19-2021

I have changed the props and transforms file to assin the source type as InputType . But still the source type coming is the one value defined in the input .conf file . Any issues ?

manjunathmeti · ‎04-19-2021

Post .conf files and sample data.

manjunathmeti · ‎04-15-2021

hi @ethanthomas,

You can index the data in three separate source types per InputType in a single index. If you have separate input monitors for each InputType raw data then you can specify sourcetype in the monitor stanza in inputs.conf.

[monitor:///path/to/fileInputType1]
index=index
sourcetype=sourcetype1

[monitor:///path/to/fileInputType2]
index=index
sourcetype=sourcetype2

But if the raw data is coming in the same file then you can use props.conf and transforms.conf to route data to particular source type based InputType values.

Check this page: https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Advancedsourcetypeoverrides

If this reply helps you, a like would be appreciated.

Different type of parcing in a single index

field extraction

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk