Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How does rule based sourcetype works?

splunker12er
Motivator
‎06-19-2014 03:09 AM

In the below stanzas , both are having same source-type names, how the priority will be in assigning sourcetype?

Has anybody used rule based sourcetype, any example will be more useful.

in the beloe case "MORE_THAN_75" means no. of events ?

Normal sourcetype : access_combined

[access_combined]
pulldown_type = true
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[

Rule Based Sourcetype : access_combined

[rule::access_combined]
sourcetype = access_combined
MORE_THAN_75 = ^\S+ \S+ \S+ \S* ?\[[^\]]+\] "[^"]*" \S+ \S+ \S+ "[^"]*"$
Tags (1)
0 Karma
Reply

MuS
Legend
‎06-19-2014 04:56 AM

Hi splunker12er,

the docs provide nice examples http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Configurerule-basedsourcetyperecognition#Exam... about rule based sourcetype assignment.

Related to your example this means, if 75% or more of the input lines match the regex, then this sourcetype will be used.

Cheers, MuS

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...