Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Setting sourcetype based on source via .conf file

deepak02
Path Finder
‎03-28-2017 09:58 AM

Hi,

I had an Application Server feeding logs into Splunk. Details as follows,

Source: /abc/logs/System-Perf-managed-vm1.log
Sourcetype: SystemPerf

The Application Server recently changed to a different name, and the sourcetype changed too.

Source: /abc/logs/System-PerfRest-managed-vm5.log
Sourcetype: SystemPerfRest

There seems to be a mapping between the source and the sourcetypes.
I do not have access to the conf files. I would like to know where this mapping will be defined (inputs.conf/props.conf/transforms.conf).

Thanks,
Deepak

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-28-2017 10:26 AM

As Splunk admin, whenever I have to modify a sourcetype, I always also add a sourcetype rename to props.conf so that the old/wrong sourcetype appears (at search time) as the new/correct sourcetype:

https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Data/Renamesourcetypes

Reply

cpetterborg
SplunkTrust
SplunkTrust
‎03-28-2017 10:21 AM

Typically:

inputs.conf lists the files to be indexed (source) and which sourcetype for that source. This would go on the deployment server to be distributed to the universal forwarders.

props.conf usually goes on the indexers (though the cluster master if you are in a clustered environment) and maps the sourcetype (typically) to how the indexers are supposed to parse the file for indexing. It also identifies transforms that can be found in the transforms.conf file.

transforms.conf usually goes along with the props.conf file to define the transforms to the data, which may include the file name (source), the data transforms (actual changes to the data), and other such actions.

So the mapping occurs from the source to the sourcetype typically through the inputs.conf file, though that can be modified through the props.conf and transforms.conf files.

Reply

lguinn2
Legend
‎03-28-2017 10:18 AM

This could be defined in the inputs.conf or (more likely) it could be defined in the props.conf

[source::/abc/logs/System-PerfRest-managed-vm5.log]
sourcetype=abc

However, there might not be any setting for sourcetype in either of these files. By default, when no sourcetype is explicitly supplied and Splunk cannot identify the sourcetype, it automatically assigns a portion of the file name as the sourcetype.
You can override this behavior by putting the above stanza in a props.conf file that is located in the same directory as the inputs.conf file.

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...