Splunk Search

Cross reference sourcetype in a lookup table

kmattern
Builder

I have a large number of Mid-Tier systems. Each one is associated with a specific set of IIS logs. Unfortunately the logs all have the same name. They are, however, stored in different folder structures based on the Mid-Tier name. All on the same Top Tier machine.

What I need to do is to be able to differentiate between all these log files based on the Mid-Tier name. Ideally what I would like to do is assign a specific sourcetype to each Mid-Tier and then use a lookup table to get the sourcetype by searching for the specific Mid-Tier. Then pass the sourcetype to a search so that data related to that specific Mid-Tier is returned from the correct set of logs, based on the sourcetype.

Is this even possible?

Tags (2)
0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

The "source" field contains the filename of the log that got indexed. I've set up a field extraction, based on the source field, to identify a part of the directory path to indicate the "type" of web instance I was looking at. Then, you can use it as a search parameter.

You could also use a lookup on the sourcetype as you've indicated. However, doing so means that you're maintaining a list of several sourcetypes, even though the data has the same shape (and would therefore typically be the same sourcetype). If I'm mistaken about that, and you do genuinely have different sourcetypes, then by all means, key this Mid-Tier field from the sourcetype.

View solution in original post

0 Karma

sowings
Splunk Employee
Splunk Employee

The "source" field contains the filename of the log that got indexed. I've set up a field extraction, based on the source field, to identify a part of the directory path to indicate the "type" of web instance I was looking at. Then, you can use it as a search parameter.

You could also use a lookup on the sourcetype as you've indicated. However, doing so means that you're maintaining a list of several sourcetypes, even though the data has the same shape (and would therefore typically be the same sourcetype). If I'm mistaken about that, and you do genuinely have different sourcetypes, then by all means, key this Mid-Tier field from the sourcetype.

0 Karma

kmattern
Builder

Of course! I was totally blind to the source itself. The Mid-Tier name is embedded in teh source path. I can pull the Mid-Tier name form the path and dispense with different sourcetypes.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...