Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Apply Field Extraction to similar sourcetypes but named slightly differant

jason_perkins
New Member
‎08-14-2019 02:46 PM

Hi,

I need to apply field extractions across multiply files. They are the same type files but slighly labled differantly such as: messeges, messeges-1, messeges-2, messeges-3,....messeges-13, etc.... Currently I have to apply the same field extractions to each one and its creating lots of work. I dont see any options in Splunk to apply to multiple sourcetypes. I tried reading post with similar issues but all seem to have differant solutions and left me really confused. If you have a rock solid solution please let me know. Thank you a head of time.

Jason

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎08-15-2019 01:29 AM

Hi @jason_perkins,

You will want to check out the ability to apply sourcetyping based on the “source”. This allows regex to be used to apply one sourcetype to many files without having to set it explicitly in many inputs, or to create duplicate sourcetypes:

[]
* This stanza enables properties for a given .

 can be:
1. , the source type of an event.
2. host::, where  is the host, or host-matching pattern, for an event.
3. source::, where  is the source, or source-matching pattern, for an event.
4. rule::, where  is a unique name of a source type classification rule.
5. delayedrule::, where  is a unique name of a delayed source type
   classification rule.
These are only considered as a last resort before generating a new source type based on the
source seen.

https://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Take a look at the props.conf.spec file and note the precendece rules.

**[] stanza precedence:**

For settings that are specified in multiple categories of matching []
stanzas, [host::] settings override [] settings.
Additionally, [source::] settings override both [host::]
and [] settings.
- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...