Solved: overriding sourcetype with sourcetype= in props.co...

alextsui · ‎04-21-2010

Hello, when using the following setup in props.conf, i was able to get the sourcetypes I want.

[source::/var/splunk/huaya-fs1/10010715/mitac_log-10010715.tar.gz:./wtmpx]
sourcetype = wtmpx

[source::/var/splunk/huaya-fs1/10010715/mitac_log-10010715.tar.gz:./messages]
sourcetype = messages

However, when I tried the setup below, sourcetype wtmpx showed, but messages files showed syslog as their sourcetype.

[source::/var/splunk/.../.../.../wtmpx]
sourcetype = wtmpx

[source::/var/splunk/.../.../.../messages]
sourcetype = messages

any ideas?

Splunk 4.1.1 on Linux 2.6 Kernel

thanks

gkanapathy · ‎04-21-2010

It's being overridden by a setting in $SPLUNK_HOME/etc/system/default/props.conf:

[source::.../messages(.\d+)?]
sourcetype = syslog

You can override this by using:

[source::/var/splunk/*/*/*/messages]
sourcetype = messages
priority = 101

Note that you probably don't want multiple ... wildcards, since those expand to (in regex terms) .* (dot star), including / (slash), which means it will match files deeper than you appear to have wanted. * expands (in regex terms) to [^\\/]*, i.e., anything except a path separator.

View solution in original post

gkanapathy · ‎04-21-2010

It's being overridden by a setting in $SPLUNK_HOME/etc/system/default/props.conf:

[source::.../messages(.\d+)?]
sourcetype = syslog

You can override this by using:

[source::/var/splunk/*/*/*/messages]
sourcetype = messages
priority = 101

Note that you probably don't want multiple ... wildcards, since those expand to (in regex terms) .* (dot star), including / (slash), which means it will match files deeper than you appear to have wanted. * expands (in regex terms) to [^\\/]*, i.e., anything except a path separator.

overriding sourcetype with sourcetype= in props.conf

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk