Getting Data In

listing properties for a pre-trained sourcetype

a212830
Champion

Hi,

Is there a way to list the properties for a pre-trained sourcetypes?

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can use btool, for example:

$ $SPLUNK_HOME/bin/splunk cmd btool props list access_combined_wcookie
[access_combined_wcookie]
ANNOTATE_PUNCT = True
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = True
CHARSET = AUTO
DATETIME_CONFIG = \etc\datetime.xml
HEADER_MODE =
LEARN_SOURCETYPE = true
LINE_BREAKER_LOOKBEHIND = 100
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 256
MAX_TIMESTAMP_LOOKAHEAD = 128
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
REPORT-access = access-extractions
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
TRANSFORMS =
TRUNCATE = 10000
detect_trailing_nulls = auto
maxDist = 100

Same with looking at the REPORT-access = access-extractions config mentioned above:

$ $SPLUNK_HOME/bin/splunk cmd btool transforms list access-extractions
[access-extractions]
CAN_OPTIMIZE = True
CLEAN_KEYS = True
DEFAULT_VALUE =
DEST_KEY =
FORMAT =
KEEP_EMPTY_VALS = False
LOOKAHEAD = 4096
MV_ADD = False
REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]
SOURCE_KEY = _raw
WRITE_META = False

martin_mueller
SplunkTrust
SplunkTrust

Newbies may be confused by this output because it list all the values, including default ones. If you have a sourcetype in props.conf that only has three keys set, btool will still list all of them.
Set the debug flag in btool and you'll see the path for each setting, making it fairly obvious which is default and which isn't.

0 Karma

a212830
Champion

Sooooooooooooo, let's take this to the next step. I am teaching some people how to input data into Splunk. A lot of my requests are syslog, but we don't actually use the syslog sourcetype, because we have so many and want the ability to seperate them. Could I use this command and use the majority of these as a template, to give to my trainees?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...