We have hundreds of ldap servers ready to be splunked. We would like to generate the sourcetype based on the source. Here is a small sample of the layout -
Is it possible to create the sourcetype based on the source?
Here’s how you do it
inputs.conf
[monitor:///path/to/ldaplogsABC/*.log]
sourcetype=yourSourcetype
crcSalt=<SOURCE>
props.conf
[yourSourcetype]
TRANSFORMS-src2st=src2st
transforms.conf
[src2st]
SOURCE_KEY = MetaData:Source
REGEX = -(\w+)(-\w+)?\/(\w+)
FORMAT = MetaData:Sourcetype
DEST_KEY = sourcetype::ldap:$1:prd:$3
Reload data.
Sorry so many updates... takes me a long time to get these answers right.
Here’s how you do it
inputs.conf
[monitor:///path/to/ldaplogsABC/*.log]
sourcetype=yourSourcetype
crcSalt=<SOURCE>
props.conf
[yourSourcetype]
TRANSFORMS-src2st=src2st
transforms.conf
[src2st]
SOURCE_KEY = MetaData:Source
REGEX = -(\w+)(-\w+)?\/(\w+)
FORMAT = MetaData:Sourcetype
DEST_KEY = sourcetype::ldap:$1:prd:$3
Reload data.
Sorry so many updates... takes me a long time to get these answers right.
Not sure about it ...
Are these two upside down?
FORMAT = MetaData:Sourcetype
DEST_KEY = sourcetype::ldap:$1:prd:$3
Should it be?
FORMAT = sourcetype::ldap:$1:prd:$3
DEST_KEY = MetaData:Sourcetype
Gorgeous solution @jkat54.
not sure you can do dynamic inputs.conf, maybe i am wrong, and in that case i would love to learn how to do so.
in anycase, it seems like any log path will have their own sourcetype, so, create a quick script that writes your inputs.conf and youll be fine
@adonio,
-- create a quick script that writes your inputs.conf
and you'll be fine
What does it mean?
apparently there is a way, i hope it match your requirements (although i am not sure, therefore my first comment) and answer your question. read these answers:
https://answers.splunk.com/answers/7390/dynamic-sourcetype-extraction.html
https://answers.splunk.com/answers/637871/how-to-can-i-configure-dynamic-sourcetype-assignme.html
https://answers.splunk.com/answers/637871/how-to-can-i-configure-dynamic-sourcetype-assignme.html
hope it helps
Much appreciated @adonio.