Solved: How do I select different sourcetypes for multiple...

CREVITCH · ‎01-08-2016

How do I select different sourcetypes for multiple logs coming from multiple servers (no universal forwarders, using rsyslog.conf)? When I set up the input port, it only offers one type of sourcetype choice.

somesoni2 · ‎01-08-2016

This is needs to be done

http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Advancedsourcetypeoverrides

View solution in original post

s2_splunk · ‎01-08-2016

Answered, but I wanted to suggest that you consider sending your syslog traffic to a syslog-ng server, do your filtering/tagging there and write to separate files that are then processed by a UF.
Sending syslog traffic directly to your indexer will mean you will lose events whenever you have to restart your indexer.

milesbrennan · ‎01-10-2016

Or you can follow this RSysLog 8.15.0 guide I wrote specifically for Splunk usage.
https://answers.splunk.com/answers/337489/howto-setup-rsyslog-network-event-log-filtering-ba.html

somesoni2 · ‎01-08-2016

This is needs to be done

http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Advancedsourcetypeoverrides

How do I select different sourcetypes for multiple logs coming from multiple servers using rsyslog.conf (no universal forwarders)?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!