Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create multiple source types from a single log file?

acsanders
New Member
‎04-17-2017 07:44 AM

I am ingesting 1 file that has multiple server IP addresses. I need to source type each server based on the IP address. I have tried using the props.conf and transforms.conf with no luck. Any help would be much appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎04-17-2017 09:12 AM

We would need some sample events and your current props.conf/transforms.conf. Meanwhile, check if something like this works for you.

#Inputs.conf on forwarder
[monitor://<<path of file>]
index = ..
sourcetype = some_default_sourcetype

#props.conf on Indexers/Heavy Forwarder
[some_default_sourcetype]
...event parsing stuffs..
TRANSFORMS-overridest = change_st_by_IP1,change_st_by_IP2,change_st_by_IP3,....

#transforms.conf on Indexers/Heavy Forwarder. Replace IPs with your exact values)
[change_st_by_IP1]
REGEX = (10\.11\.12\.13)
FORMAT = sourcetype::yourNewSourceType1
DEST_KEY = MetaData:Sourcetype

[change_st_by_IP2]
REGEX = (20\.21\.22\.23)
FORMAT = sourcetype::yourNewSourceType2
DEST_KEY = MetaData:Sourcetype

..
similar stanza for other IPs...

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎04-17-2017 09:12 AM

We would need some sample events and your current props.conf/transforms.conf. Meanwhile, check if something like this works for you.

#Inputs.conf on forwarder
[monitor://<<path of file>]
index = ..
sourcetype = some_default_sourcetype

#props.conf on Indexers/Heavy Forwarder
[some_default_sourcetype]
...event parsing stuffs..
TRANSFORMS-overridest = change_st_by_IP1,change_st_by_IP2,change_st_by_IP3,....

#transforms.conf on Indexers/Heavy Forwarder. Replace IPs with your exact values)
[change_st_by_IP1]
REGEX = (10\.11\.12\.13)
FORMAT = sourcetype::yourNewSourceType1
DEST_KEY = MetaData:Sourcetype

[change_st_by_IP2]
REGEX = (20\.21\.22\.23)
FORMAT = sourcetype::yourNewSourceType2
DEST_KEY = MetaData:Sourcetype

..
similar stanza for other IPs...
Reply
Solved! Jump to solution

vanheer
Explorer
‎08-19-2022 11:29 AM

Hi,

I have a question here, can we use different index for each sourcetype in these conf files?

 

Tags (3)
0 Karma
Reply
Solved! Jump to solution

acsanders
New Member
‎04-17-2017 12:25 PM

That did exactly what I was trying to accomplish. Thanks so much for the fast response.

0 Karma
Reply
Solved! Jump to solution

acsanders
New Member
‎04-18-2017 05:10 AM

I have an additional question. I need to do the same thing with a string that I am doing with an IP address. Whats the correct way to do this. How do I set up the REGEX for a string?

transforms.comf
[change_st_by_IP9]
REGEX = Plinapp748

FORMAT = sourcetype::McAfee_ePO
DEST_KEY = MetaData:Sourcetype

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎04-18-2017 07:49 AM

It's the same way as IP. IP has a special character dot so I had to escape it. If your string just has alphanumeric values, just specify them as it is in REGEX.

0 Karma
Reply
Solved! Jump to solution

acsanders
New Member
‎04-18-2017 09:30 AM

Thanks so much for the help. Worked like a charm.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...