Knowledge Management

How to Identify sourcetypes by logs

MadhuS1
Explorer

Hi

Is there any way that we could easily identify the sourcetypes for different logs?
Is there any place where i can all list of sourcetypes with sample logs in splunk? or anything which helps me to decide the sourcetype?

I have a situation where in for an index and a sourcetype, i have different types of logs and i am pretty sure that they are from the same sourcetype.

Thanks

Tags (1)
0 Karma

skoelpin
SplunkTrust
SplunkTrust

You should use the punct field for this. The punct field looks at the punctuation in your logs so you can easily tell the difference between different logging formats. So as an example, if you wanted to see the relationship between how many different sourcetypes share a common logging format, you would do something like this.. You would probably need to chop off anything after 5 characters

index=... 
| stats values(sourcetype) AS sourcetype by punct 
0 Karma

skoelpin
SplunkTrust
SplunkTrust

Did this work for you?

0 Karma

lloydknight
Builder

Also, check this link for the list of pretrained sourcetypes in case your sourcetypes are already in splunk.

MadhuS1
Explorer

This is good. Thank you...

0 Karma

tiagofbmm
Influencer

You could start by getting a sample of each log and use Splunk's automatic sourcetype detection by adding those samples to Splunk

MadhuS1
Explorer

Thanks for the reply.

Did you mean index those logs using add data menu, then splunk detects the sourcetype automatically?
What if the sourcetypes doesn't exist under my splunk instance? Could you please give some more points and correct me if i am wrong? Thanks...

0 Karma

tiagofbmm
Influencer

Yes using add data was my suggestion as you know splunk has that feature built in.

In case the sourcetype does not exist in the environment, then what I always do when I have a new kind of log is go to SplunkBase and search for the technology I'm looking for. Most of the parsing packages are really good and there is no point on re-inventing the wheel.

Give SplunkBase a shot too

0 Karma

MadhuS1
Explorer

I will try that, Thank you very much 🙂

0 Karma

tiagofbmm
Influencer

Alright let me know what you found (or did not find).

If the answer has been useful for you, upvote or accept it for future reference

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...