Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field names from file, including source and host

jgauthier
Contributor
‎06-02-2011 12:43 PM

I've written an application that outputs data that I would like to index. Of course, I have a series of requirements.

First, I'd like to extract the host and the sourcetype from the file.
I am reading http://www.splunk.com/base/Documentation/4.1.8/Admin/Advancedsourcetypeoverrides
on how to achieve this, but haven't succeeded.

props.conf

[source::Z:\ServerInput]
TRANSFORMS-changesrchost=SrvMonsource,SrvMonHost

transforms.conf

[SrvMonSource]
DEST_KEY = MetaData:Sourcetype
REGEX = Source: (.+)
FORMAT = sourcetype::$1

[SrvMonHost]
REGEX = Host: (.+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

Secondly, I'd like to extract the field names from the fields in the file. The file format looks like this:

Host: L-JGAUTHIER
Source: OSInfo
BootDevice: \Device\HarddiskVolume2
BuildNumber: 7600
BuildType: Multiprocessor Free
Caption: Microsoft Windows 7 Enterprise 
CodeSet: 1252
CountryCode: 1
CreationClassName: Win32_OperatingSystem
CSCreationClassName: Win32_ComputerSystem
CSDVersion: 
CSName: L-JGAUTHIER

And lastly, I want to delete the file once it's indexed. I can probably use the spool directory for this, but I'm not sure yet if that will work since I am not sure if I can make that a source or not in my application (in props.conf).

Thanks for any pointers.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jgauthier
Contributor
‎06-03-2011 07:23 AM

I was able to achieve all aspects of what I wanted.

First, my inputs.conf:

[batch://Z:\ServerInput]
disabled=0
recursive=false
sourcetype=SrvMon
move_policy = sinkhole

This implemented the sinkhole I wanted.

props.conf

[SrvMon]
TRANSFORMS-metadata=SrvMonHost,SrvMonSource

Transforms.conf:

[SrvMonSource]
DEST_KEY = MetaData:Sourcetype
REGEX = Source=(.+)
FORMAT = sourcetype::$1

[SrvMonHost]
REGEX = Host=(.+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

And lastly, I changed my field format to be "Field=Data" so splunk picked up the key/value pair automatically.

Working great!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jgauthier
Contributor
‎06-03-2011 07:23 AM

I was able to achieve all aspects of what I wanted.

First, my inputs.conf:

[batch://Z:\ServerInput]
disabled=0
recursive=false
sourcetype=SrvMon
move_policy = sinkhole

This implemented the sinkhole I wanted.

props.conf

[SrvMon]
TRANSFORMS-metadata=SrvMonHost,SrvMonSource

Transforms.conf:

[SrvMonSource]
DEST_KEY = MetaData:Sourcetype
REGEX = Source=(.+)
FORMAT = sourcetype::$1

[SrvMonHost]
REGEX = Host=(.+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

And lastly, I changed my field format to be "Field=Data" so splunk picked up the key/value pair automatically.

Working great!

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎06-02-2011 02:44 PM

jgauthier,

1.  Having your inputs.conf would be helpful.  Is the source file "ServerInput" or "ServerInput\<somefile>"?
2.  Try:
## props.conf
[source::<source>]
KV_MODE = None
REPORT-auto_kv_for_my_source = auto_kv_for_my_source

## transforms.conf
[auto_kv_for_my_source]
REGEX = ^(\S+):(?:\s+)?(.+)
FORMAT = $1::$2
MV_ADD = True

3.  Use the batch input instead of the monitor input.
[batch://<path>]
* One time, destructive input of files in <path>.
* For continuous, non-destructive inputs of files, use monitor instead.

# Additional attributes:

move_policy = sinkhole
* IMPORTANT: This attribute/value pair is required. You *must* include "move_policy = sinkhole" when defining batch inputs.
* This loads the file destructively.  
* Do not use the batch input type for files you do not want to consume destructively.

host_regex = see MONITOR, above.
host_segment = see MONITOR, above.
crcSalt = see MONITOR, above.

# IMPORTANT: The following attribute is not used by batch:
# source = <string>
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...