Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sourcetype cannot work with RENAME

catty
Engager
‎10-03-2011 08:28 PM

I trying to rename sourcetype for this regex but won't work
but when i remove the rename = httpd-access its work?

[access]

rename = httpd-access

EXTRACT-ip = [(?P[^]]+)

EXTRACT-host = (?i)^[^,]*,\d+\s+(?P[^ ]+)

i using splunk Uforwarder

[monitor:///opt/log/*]

sourcetype = access

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎10-03-2011 09:04 PM

I am not sure I completely understand your question, but I am going to assume that your field extractions are not working when you have rename attribute set.

Sourcetype renaming is a search time operation that happens before field extractions. Thus Splunk will use search-time field extractions defined in [httpd-access] stanza for events that have been indexed as coming from the "access" sourcetype. Give the following props.conf stanzas (in the search head) a test run

[access]
rename = httpd-access

[httpd-access]
EXTRACT-ip = [(?P<ip>[^]]+)
EXTRACT-host = (?i)^[^,]*,d+s+(?P<host>[^ ]+)

View solution in original post

Reply
Solved! Jump to solution
Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎10-03-2011 09:04 PM

I am not sure I completely understand your question, but I am going to assume that your field extractions are not working when you have rename attribute set.

Sourcetype renaming is a search time operation that happens before field extractions. Thus Splunk will use search-time field extractions defined in [httpd-access] stanza for events that have been indexed as coming from the "access" sourcetype. Give the following props.conf stanzas (in the search head) a test run

[access]
rename = httpd-access

[httpd-access]
EXTRACT-ip = [(?P<ip>[^]]+)
EXTRACT-host = (?i)^[^,]*,d+s+(?P<host>[^ ]+)
Reply
Solved! Jump to solution

catty
Engager
‎10-03-2011 09:16 PM

that work great help..! thank you very much.. FIXED!

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...