Re: How to specify source stanza for non-file inpu...

anton085 · ‎08-10-2017

I am trying to write some source:: stanzas in props.conf to forward data to another system. For file inputs (e.g., monitor type inputs), I can write [source::/path/to/file] and it works. However, I am wondering what would the part of source:: be for other source types such as windows event logs. For example, when I tried [source::Application] for matching Windows Application Event logs, it didn't work, but when I tried [source::WinEventLog:Application], it worked.

My question is, is there a list of prefixes such as WinEventLog for input types other than file? For example, what would be the prefix patterns for Local Performance Monitoring, TCP/UDP, Registry Monitoring, Local Windows Host, Printer, Network monitoring etc? In lieu of prefix patterns, how would I write the source:: stanza for the above types?

gcusello · ‎08-11-2017

Hi anton085,
you can use also other default fields as sourcetype instead source.
I always prefer to use sourcetype instead source to make this.
Bye.
Giuseppe

anton085 · ‎08-11-2017

What if I wanted to forward only a particular source of a sourcetype? Setting a sourcetype would mean all sources will be forwarded, and I don't want that. I assumed there would be predefined values for sources that Splunk supports out of the box.

hardikJsheth · ‎08-10-2017

No there aren't any fix values. You can set source as required in the inputs.conf and then use the same in props.conf file.

anton085 · ‎08-11-2017

I assumed there would be predefined values for sources (and sourcetypes) that Splunk supports out of the box.

How to specify source stanza for non-file input types in props.conf

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases