Getting Data In

How to specify source stanza for non-file input types in props.conf

anton085
Path Finder

I am trying to write some source:: stanzas in props.conf to forward data to another system. For file inputs (e.g., monitor type inputs), I can write [source::/path/to/file] and it works. However, I am wondering what would the part of source:: be for other source types such as windows event logs. For example, when I tried [source::Application] for matching Windows Application Event logs, it didn't work, but when I tried [source::WinEventLog:Application], it worked.

My question is, is there a list of prefixes such as WinEventLog for input types other than file? For example, what would be the prefix patterns for Local Performance Monitoring, TCP/UDP, Registry Monitoring, Local Windows Host, Printer, Network monitoring etc? In lieu of prefix patterns, how would I write the source:: stanza for the above types?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi anton085,
you can use also other default fields as sourcetype instead source.
I always prefer to use sourcetype instead source to make this.
Bye.
Giuseppe

0 Karma

anton085
Path Finder

What if I wanted to forward only a particular source of a sourcetype? Setting a sourcetype would mean all sources will be forwarded, and I don't want that. I assumed there would be predefined values for sources that Splunk supports out of the box.

0 Karma

hardikJsheth
Motivator

No there aren't any fix values. You can set source as required in the inputs.conf and then use the same in props.conf file.

0 Karma

anton085
Path Finder

I assumed there would be predefined values for sources (and sourcetypes) that Splunk supports out of the box.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...