×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jason_perkins
New Member
Member since: ‎02-11-2019
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-11-2019
Activity Feed
View All

Re: Apply Field Extraction to similar sourcetypes ...

by Splunk Employee in Splunk Search
‎08-15-2019 01:29 AM
‎08-15-2019 01:29 AM
Hi @jason_perkins, You will want to check out the ability to apply sourcetyping based on the “source”. This allows regex to be used to apply one sourcetype to many files without having to set it explicitly in many inputs, or to create duplicate sourcetypes: [] * This stanza enables properties for a given . can be: 1. , the source type of an event. 2. host::, where is the host, or host-matching pattern, for an event. 3. source::, where is the source, or source-matching pattern, for an event. 4. rule::, where is a unique name of a source type classification rule. 5. delayedrule::, where is a unique name of a delayed source type classification rule. These are only considered as a last resort before generating a new source type based on the source seen. https://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf Take a look at the props.conf.spec file and note the precendece rules. **[] stanza precedence:** For settings that are specified in multiple categories of matching [] stanzas, [host::] settings override [] settings. Additionally, [source::] settings override both [host::] and [] settings. ... View more

Do you have any suggestions on how to get Splunk t...

by in Splunk Search
‎02-11-2019 11:49 AM
‎02-11-2019 11:49 AM
We are importing Linux Syslogs and Windows NTSyslogs and fields are not getting automatically extracted. The only fields that are getting extracted are Host, Index, Date&Time, Source, and SourceType all other fields are not getting extracted. The version of Splunk we are using is 6.4.0. I am sure a Splunk upgrade would fix a lot of these issues, but it seems like it will take an act of Congress to do so. So any suggestions on how to get Splunk to recognize the fields to be extracted automatically. ~ Jason ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM