Knowledge Management

How to Identify sourcetypes by logs

MadhuS1
Explorer

Hi

Is there any way that we could easily identify the sourcetypes for different logs?
Is there any place where i can all list of sourcetypes with sample logs in splunk? or anything which helps me to decide the sourcetype?

I have a situation where in for an index and a sourcetype, i have different types of logs and i am pretty sure that they are from the same sourcetype.

Thanks

Tags (1)
0 Karma

skoelpin
SplunkTrust
SplunkTrust

You should use the punct field for this. The punct field looks at the punctuation in your logs so you can easily tell the difference between different logging formats. So as an example, if you wanted to see the relationship between how many different sourcetypes share a common logging format, you would do something like this.. You would probably need to chop off anything after 5 characters

index=... 
| stats values(sourcetype) AS sourcetype by punct 
0 Karma

skoelpin
SplunkTrust
SplunkTrust

Did this work for you?

0 Karma

lloydknight
Builder

Also, check this link for the list of pretrained sourcetypes in case your sourcetypes are already in splunk.

MadhuS1
Explorer

This is good. Thank you...

0 Karma

tiagofbmm
Influencer

You could start by getting a sample of each log and use Splunk's automatic sourcetype detection by adding those samples to Splunk

MadhuS1
Explorer

Thanks for the reply.

Did you mean index those logs using add data menu, then splunk detects the sourcetype automatically?
What if the sourcetypes doesn't exist under my splunk instance? Could you please give some more points and correct me if i am wrong? Thanks...

0 Karma

tiagofbmm
Influencer

Yes using add data was my suggestion as you know splunk has that feature built in.

In case the sourcetype does not exist in the environment, then what I always do when I have a new kind of log is go to SplunkBase and search for the technology I'm looking for. Most of the parsing packages are really good and there is no point on re-inventing the wheel.

Give SplunkBase a shot too

0 Karma

MadhuS1
Explorer

I will try that, Thank you very much 🙂

0 Karma

tiagofbmm
Influencer

Alright let me know what you found (or did not find).

If the answer has been useful for you, upvote or accept it for future reference

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...