Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sourcetype cannot work with RENAME

catty
Engager
‎10-03-2011 08:28 PM

I trying to rename sourcetype for this regex but won't work
but when i remove the rename = httpd-access its work?

[access]

rename = httpd-access

EXTRACT-ip = [(?P[^]]+)

EXTRACT-host = (?i)^[^,]*,\d+\s+(?P[^ ]+)

i using splunk Uforwarder

[monitor:///opt/log/*]

sourcetype = access

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎10-03-2011 09:04 PM

I am not sure I completely understand your question, but I am going to assume that your field extractions are not working when you have rename attribute set.

Sourcetype renaming is a search time operation that happens before field extractions. Thus Splunk will use search-time field extractions defined in [httpd-access] stanza for events that have been indexed as coming from the "access" sourcetype. Give the following props.conf stanzas (in the search head) a test run

[access]
rename = httpd-access

[httpd-access]
EXTRACT-ip = [(?P<ip>[^]]+)
EXTRACT-host = (?i)^[^,]*,d+s+(?P<host>[^ ]+)

View solution in original post

Reply
Solved! Jump to solution
Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎10-03-2011 09:04 PM

I am not sure I completely understand your question, but I am going to assume that your field extractions are not working when you have rename attribute set.

Sourcetype renaming is a search time operation that happens before field extractions. Thus Splunk will use search-time field extractions defined in [httpd-access] stanza for events that have been indexed as coming from the "access" sourcetype. Give the following props.conf stanzas (in the search head) a test run

[access]
rename = httpd-access

[httpd-access]
EXTRACT-ip = [(?P<ip>[^]]+)
EXTRACT-host = (?i)^[^,]*,d+s+(?P<host>[^ ]+)
Reply
Solved! Jump to solution

catty
Engager
‎10-03-2011 09:16 PM

that work great help..! thank you very much.. FIXED!

0 Karma
Reply
Get Updates on the Splunk Community!

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...