Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

dynamic sourcetypes - can splunk do this? (and I'll be impressed if it can)

a212830
Champion
‎02-06-2015 06:11 AM

Hi,

I have a request to monitor a directory, with dynamic logfiles. Sometimes they are there, sometimes the customer will create new ones.... They have validated that the logfiles all follow the same format. Is it possible for splunk to create a sourcetype based upon the name of the file? They all follow the format SERVICE_PID.log. I could create one based upon the directory name, but they would rather use separate sourcetypes, if possible, for easier analysis and reporting.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎02-06-2015 06:15 AM

Hi a212830,

Yes it can 😉 You will need to specify this in your props/transforms files any where parsing/indexing is being performed.

props.conf 

[source::...regex_to_match_filename] 
TRANSFORMS-fs = force-sourcetype-st

transforms.conf 

[force-sourcetype-st] 
DEST_KEY = MetaData::Sourcetype 
SOURCE_KEY = MetaData::Source 
REGEX = YOUR_REGEX_TO_PULL_THE_FILENAME 
FORMAT = sourcetype::$1 
WRITE_META = true

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

thomrs
Communicator
‎02-06-2015 06:18 AM

Source type is set at index time so do not think this is possible. I had a similar issue and I used the same source type for everything but added a new filed based on the file source called 'logname'. This is a search time approach and has been working fine.

You could use a transform at index time to add the 'logname' as metadata if needed.

0 Karma
Reply
Solved! Jump to solution

thomrs
Communicator
‎02-06-2015 09:17 AM

I was wrong you can do this with an index time transform. I always stay away from doing that, i never want to change the raw data,

http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

Reply
Solved! Jump to solution

MuS
Legend
‎02-06-2015 11:30 AM

Good one! Knowing his weakness, is a way to strength .... or something like that ..... Yoda would said have 🙂

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎02-06-2015 06:15 AM

Hi a212830,

Yes it can 😉 You will need to specify this in your props/transforms files any where parsing/indexing is being performed.

props.conf 

[source::...regex_to_match_filename] 
TRANSFORMS-fs = force-sourcetype-st

transforms.conf 

[force-sourcetype-st] 
DEST_KEY = MetaData::Sourcetype 
SOURCE_KEY = MetaData::Source 
REGEX = YOUR_REGEX_TO_PULL_THE_FILENAME 
FORMAT = sourcetype::$1 
WRITE_META = true

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

a212830
Champion
‎02-06-2015 08:34 AM

Good stuff, both useful. I'll try them out.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...