×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
foufoumad
New Member
Member since: ‎10-09-2019
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎10-09-2019
View All

Re: Multiple sourcetypes and listenners on the sam...

by SplunkTrust in Deployment Architecture
‎10-10-2019 01:40 AM
‎10-10-2019 01:40 AM
Hi foufoumad, you have to ingest all sources with a sourcetype (e.g. syslog) then override the sourcetype based on regex. The main job is to identify a regex for each kind of source. For more information see at https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides In few words: on props.conf [syslog] TRANSFORMS-changesourcetype_source1 = set_sourcetype_1 TRANSFORMS-changesourcetype_source2 = set_sourcetype_2 on transforms.conf [set_sourcetype_1] REGEX = your_regex1 FORMAT = sourcetype::your_new_sourcetype_1 DEST_KEY = MetaData:Sourcetype [set_sourcetype_2] REGEX = your_regex2 FORMAT = sourcetype::your_new_sourcetype_2 DEST_KEY = MetaData:Sourcetype Bye. Giuseppe ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM