Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a custom field with values based on the monitors in inputs.conf

jackiewkc
Path Finder
‎08-21-2015 09:39 AM

Hi,

In my inputs.conf I have a number of monitors. I would like to create a custom field called logtypevalue with values based of the monitors. For example, if the monitor is:

[monitor://D:\logs\logfiles\tomcat*.log]

I want the value of logtypevalue set to abcde.

If the monitor is:

[monitor://D:\logs\logfiles\apache*.log]

I want the value of logtypevalue set to testing.

Basically the values of logtypevalue can't be extracted from the monitor so I am not sure how I can do this.

Any help will be greatly appreciated.

Thanks.

Jackie

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2015 10:21 AM

I don't know you can do that in inputs.conf, but it's possible in props.conf. In the appropriate stanza for each input's sourcetype add

EVAL-logtypevalue = "abcde"

or

EVAL-logtypevalue = "testing"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-21-2015 04:19 PM

You can hard-code each monitor inside inputs.conf with a unique sourcetype such as STunique1, STunique2, etc.
Then inside props.conf you do like @richgalloway said and use EVAL-logtypevalue="testing" or whatever, for each unique sourcetype but you also rename the sourcetype here with rename = "STcommon" so that in the end, each one goes back to sharing the same sourcetype but with unique values for logtypevalue!

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2015 10:21 AM

I don't know you can do that in inputs.conf, but it's possible in props.conf. In the appropriate stanza for each input's sourcetype add

EVAL-logtypevalue = "abcde"

or

EVAL-logtypevalue = "testing"
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jackiewkc
Path Finder
‎08-24-2015 05:40 AM

Thanks a lot. I managed to do it based on your suggestion.

In props.conf, I have this setting:

[source::D:\abc\testing*.log]
EVAL-log_type = "testing-logs"

[source::D:\def\reporting*.log]
EVAL-log_type = "reporting-logs"

Now my question is that is it possible to specify the index in the above settings as well?

It may happen that logs with the same paths coming from different servers for different indexes will match the paths above. I only want those that match the paths above and for a particular index to have log_type configured.

Is this possible?

Thanks.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-24-2015 10:12 AM

See my alternative answer. It will allow you to take into effect the index value by doing this based on sourcetype rather than by source (eliminating your problem entirely).

0 Karma
Reply
Solved! Jump to solution

jackiewkc
Path Finder
‎08-25-2015 01:17 AM

Thanks for the reply, but the problem we have is that we use sourcetype for something else (linebreak). Therefore in our inputs.conf, there are multiple monitors with the same sourcetype which can't be changed. This means the only thing we can use to distinguish between different sources (i.e. monitors) is the source itself.

Now I have updated props.conf with the settings in my reply above, and it works fine. There should not be another monitor with the exact same path but for a different index cos that would not be right, but I am just thinking out loud here whether it is possible to include the index in the configs above. Something like if the source is D:\def\reporting*.log and it is for the index "abc" then do the EVAL-log_type part.

Thanks.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-25-2015 06:56 AM

Not possible.

0 Karma
Reply
Solved! Jump to solution

jackiewkc
Path Finder
‎08-25-2015 07:57 AM

ok, thanks for getting back to me.

0 Karma
Reply
Solved! Jump to solution

jackiewkc
Path Finder
‎08-24-2015 05:36 AM

Thanks a lot. I managed to do it based on your suggestion.

In props.conf, I have this setting:

[source::D:\\abc\\testing*.log]
EVAL-log_type = "testing-logs"

[source::D:\\def\\reporting*.log]
EVAL-log_type = "reporting-logs"

Now my question is that is it possible to specify the index in the above settings as well?

It may happen that logs with the same paths coming from different servers for different indexes will match the paths above. I only want those that match the paths above and for a particular index to have log_type configured.

Is this possible?

Thanks.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-24-2015 05:43 AM

You can include index=foo in your inputs.conf file, but not props.conf.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
li.common.scroll-to.top