- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Add a sourcetype from a Splunk Supported Add-On to...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add a sourcetype from a Splunk Supported Add-On to the list of pretrained sourcetypes
Splunk has a list of pretrained sourcetypes (http://docs.splunk.com/Documentation/Splunk/latest/Data/Listofpretrainedsourcetypes). I have installed a new Splunk Supported Add-on called the Splunk Add-on for Tomcat. I am using Splunk Enterprise version 6.5.1.
The list of pre-trained sourcetypes includes a sourcetype of catalina. The description for the sourcetype shows "Output produced by Apache Tomcat Catalina (System.out and System.err)"
The Splunk Add-On for Tomcat (http://docs.splunk.com/Documentation/AddOns/released/Tomcat/Sourcetypes) has the following sources identified as sourcetype tomcat:runtime:log:
Catalina.log, localhost.log, manager.log, host-manager.log
I have a file called /tmp/catalina.log, and I would like Splunk to automatically sourcetype the value as tomcat:runtime:log. In testing, I have a dev splunk instance with the Splunk Add-On for tomcat installed.
I have a monitor statement as follows for testing:
[monitor:///tmp/catalina3.log]
index = main
Attempts to auto learn the sourcetype to a value of tomcat:runtime:log fail. Splunk will always try and set the sourcetype to a value of catalina-#. A # shows the number as an incremental # assigned to the sourcetype. In tests, I used data sets with 200 lines or 2000 lines.
I supposed that I could setup a rule that would check the file name and classify accordingly, but I figured that a Splunk supported Add-On would update the list of pretrained sourcetypes.
Is this a feature add that splunk could add in the future? Is it possible to easily update the list of pretrained sourcetypes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is a good question. The goal is to have Splunk "auto" discover a sourcetype based on a known list. The Splunk UI doesn't have this capability yet, so I have been trying to find methods for automation. I may have missed this in my first post, but I hope this update helps to solidify my first question.
I would like for Splunk to auto discover the sourcetype based on a known list. I can then setup a response to a customer or an admin, based on the results of a Splunk automated sourcetype recognition of a "monitor" input.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not just specify the sourcetype that you want your file data to have in the inputs.conf itself?
[monitor:///tmp/catalina3.log]
index = main
sourcetype=tomcat:runtime:log
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
