When i try to train splunk to automatically recognize files of a given type, I get the following:
# $SPLUNK_HOME/bin/splunk train sourcetype /tmp/maillog qmail_maillog
errror: Parameters must be in the form '-parameter value'
Am I doing this wrong? Is there a workaround?
Firstly, for many cases, applying sourcetypes by file pattern can be preferable to content-based recognition. The file pattern rules are easier to audit. This can be done via overlapping input stanzas (in 4.1+), or by source:: regex-like patterns in props.conf.
If you do have the need to apply sourcetypes by content, then the train command is busted (SPL-31078), but it's just a candy wrapper over the following, which you can use directly for full effect:
$SPLUNK_HOME/bin/splunk cmd classify path/to/myfile mysourcetype
If you're trying to use train to recognize timestamps, I generally recommend using TIME_FORMAT instead.
Firstly, for many cases, applying sourcetypes by file pattern can be preferable to content-based recognition. The file pattern rules are easier to audit. This can be done via overlapping input stanzas (in 4.1+), or by source:: regex-like patterns in props.conf.
If you do have the need to apply sourcetypes by content, then the train command is busted (SPL-31078), but it's just a candy wrapper over the following, which you can use directly for full effect:
$SPLUNK_HOME/bin/splunk cmd classify path/to/myfile mysourcetype
If you're trying to use train to recognize timestamps, I generally recommend using TIME_FORMAT instead.