Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I create and update a sourcetype using the REST API?

Mozzieman
Explorer
‎09-29-2023 06:05 AM

Hi,

I've been hunting through the REST API Documentation , as well as searching online, for the correct endpoint/curl request for maintaining sourcetypes, but haven't found anything. It is a trivial task using the UI, but my use case is that I want to spin up a splunk instance using a script, as part of an automated test process, so UI input won' meet the requirement.

Can anyone point me in the right direction?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Mozzieman
Explorer
‎11-17-2023 08:26 AM

Turns out the required approach was different from what I had imagined, and in fact rather simpler. What I needed to do was:

1. Load my data file (in this case a sample log file)

2. Set up my index:

curl -k -u <user>:<password> https://localhost:8089/servicesNS/admin/search/data/indexes -d name=<index-name>

3. Monitor the log directory, assigning to it the required source type:

curl -k -u <user>:<password> https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor -d name="/path/to/my/logs" -d index=<index-name> -d host=<host-name> -d sourcetype=<required-source-type>

All events from that source will be assigned the required source type.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Mozzieman
Explorer
‎09-29-2023 07:24 AM

Thanks for your swift reply! I haven't got the whole answer yet, but that certainly helps as I was not aware of how the config works. Seems like it is probably the local/props.conf file that I need to be updating, referencing this spec. I will do some more research and post a full answer when I have one

0 Karma
Reply
Solved! Jump to solution
Solution

Mozzieman
Explorer
‎11-17-2023 08:26 AM

Turns out the required approach was different from what I had imagined, and in fact rather simpler. What I needed to do was:

1. Load my data file (in this case a sample log file)

2. Set up my index:

curl -k -u <user>:<password> https://localhost:8089/servicesNS/admin/search/data/indexes -d name=<index-name>

3. Monitor the log directory, assigning to it the required source type:

curl -k -u <user>:<password> https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor -d name="/path/to/my/logs" -d index=<index-name> -d host=<host-name> -d sourcetype=<required-source-type>

All events from that source will be assigned the required source type.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2023 09:49 AM

Yes, you should update a local config file and (almost) never a default file.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2023 06:33 AM

Given that a sourcetype is just a stanza name in a props.conf file, I think you need either the configs/conf-props endpoint or the properties/props endpoint.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...