Getting Data In

How can I create and update a sourcetype using the REST API?

Mozzieman
Explorer

Hi,

I've been hunting through the REST API Documentation , as well as searching online, for the correct endpoint/curl request for maintaining sourcetypes, but haven't found anything. It is a trivial task using the UI, but my use case is that I want to spin up a splunk instance using a script, as part of an automated test process, so UI input won' meet the requirement.

Can anyone point me in the right direction?

Labels (1)
0 Karma
1 Solution

Mozzieman
Explorer

Turns out the required approach was different from what I had imagined, and in fact rather simpler. What I needed to do was:

1. Load my data file (in this case a sample log file)

2. Set up my index:

curl -k -u <user>:<password> https://localhost:8089/servicesNS/admin/search/data/indexes -d name=<index-name>

3. Monitor the log directory, assigning to it the required source type:

curl -k -u <user>:<password> https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor -d name="/path/to/my/logs" -d index=<index-name> -d host=<host-name> -d sourcetype=<required-source-type>

All events from that source will be assigned the required source type.

View solution in original post

0 Karma

Mozzieman
Explorer

Thanks for your swift reply! I haven't got the whole answer yet, but that certainly helps as I was not aware of how the config works. Seems like it is probably the local/props.conf file that I need to be updating, referencing this spec. I will do some more research and post a full answer when I have one

0 Karma

Mozzieman
Explorer

Turns out the required approach was different from what I had imagined, and in fact rather simpler. What I needed to do was:

1. Load my data file (in this case a sample log file)

2. Set up my index:

curl -k -u <user>:<password> https://localhost:8089/servicesNS/admin/search/data/indexes -d name=<index-name>

3. Monitor the log directory, assigning to it the required source type:

curl -k -u <user>:<password> https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor -d name="/path/to/my/logs" -d index=<index-name> -d host=<host-name> -d sourcetype=<required-source-type>

All events from that source will be assigned the required source type.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, you should update a local config file and (almost) never a default file.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

Given that a sourcetype is just a stanza name in a props.conf file, I think you need either the configs/conf-props endpoint or the properties/props endpoint.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...