How to specify source stanza for non-file input ty...

anton085 · ‎08-10-2017

I am trying to write some source:: stanzas in props.conf to forward data to another system. For file inputs (e.g., monitor type inputs), I can write [source::/path/to/file] and it works. However, I am wondering what would the part of source:: be for other source types such as windows event logs. For example, when I tried [source::Application] for matching Windows Application Event logs, it didn't work, but when I tried [source::WinEventLog:Application], it worked.

My question is, is there a list of prefixes such as WinEventLog for input types other than file? For example, what would be the prefix patterns for Local Performance Monitoring, TCP/UDP, Registry Monitoring, Local Windows Host, Printer, Network monitoring etc? In lieu of prefix patterns, how would I write the source:: stanza for the above types?

gcusello · ‎08-11-2017

Hi anton085,
you can use also other default fields as sourcetype instead source.
I always prefer to use sourcetype instead source to make this.
Bye.
Giuseppe

anton085 · ‎08-11-2017

What if I wanted to forward only a particular source of a sourcetype? Setting a sourcetype would mean all sources will be forwarded, and I don't want that. I assumed there would be predefined values for sources that Splunk supports out of the box.

hardikJsheth · ‎08-10-2017

No there aren't any fix values. You can set source as required in the inputs.conf and then use the same in props.conf file.

anton085 · ‎08-11-2017

I assumed there would be predefined values for sources (and sourcetypes) that Splunk supports out of the box.

How to specify source stanza for non-file input types in props.conf

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...