×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
pkaushik1
New Member
Member since: ‎03-07-2016
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-07-2016
Activity Feed
Topics I've Started
View All

Re: Using preloaded sourcetypes

by in Splunk Search
‎03-08-2016 10:04 AM
‎03-08-2016 10:04 AM
Thanks that did the trick. However, I still am not sure how to uniquely identify the jetty logs (in the case above for example) from other logs that I have. E.g. in our company all the logs are getting indexed under "distApps" index and if the source type is a pretrained sourcetype then I have no unique way of identifying my jetty logs from say someone else's jetty logs as the index and the source type will be the same. Is there a way to overcome this while keeping the index the same? Or is the best practice to change the index itself to match something that is unique to our product's jetty logs? Also is there a way to access a pretrained source type in K-V format? Or do additional transforms have to take place to a pretrained sourcetype before we can do K-V queries? Thanks! ... View more

Using preloaded sourcetypes

by in Splunk Search
‎03-07-2016 07:52 PM
‎03-07-2016 07:52 PM
I am having difficulty setting up my forwarder with a preloaded source type. I have identified the source type as "access_combined". On my inputs.conf on the forwarder I have something like this: [monitor:///home/user/dev/build/apps/testproduct/main/logs/jetty/*] sourcetype = access_combined disabled = false In my props.conf I have: [source::/home/user/dev/build/apps/testproduct/main/logs/jetty/jetty*.log] sourcetype = access_combined I imagined this would be sufficient for the forwarder configs - but the logs are not being forwarded. So: 1. I am not sure what this means for the indexer configs. If I am using a preloaded sourcetype (access_combined), does it then still require inputs.conf and props.conf on the indexer? 2. Also how do I uniquely identify logs from my forwarder within the indexer even if they have a preloaded sourcetype? Thanks ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM