Solved: Re: Sourcetype cannot work with RENAME

catty · ‎10-03-2011

I trying to rename sourcetype for this regex but won't work
but when i remove the rename = httpd-access its work?

[access]

rename = httpd-access

EXTRACT-ip = [(?P[^]]+)

EXTRACT-host = (?i)^[^,]*,\d+\s+(?P[^ ]+)

i using splunk Uforwarder

[monitor:///opt/log/*]

sourcetype = access

Ledion_Bitincka · ‎10-03-2011

I am not sure I completely understand your question, but I am going to assume that your field extractions are not working when you have rename attribute set.

Sourcetype renaming is a search time operation that happens before field extractions. Thus Splunk will use search-time field extractions defined in [httpd-access] stanza for events that have been indexed as coming from the "access" sourcetype. Give the following props.conf stanzas (in the search head) a test run

[access]
rename = httpd-access

[httpd-access]
EXTRACT-ip = [(?P<ip>[^]]+)
EXTRACT-host = (?i)^[^,]*,d+s+(?P<host>[^ ]+)

View solution in original post

Ledion_Bitincka · ‎10-03-2011

I am not sure I completely understand your question, but I am going to assume that your field extractions are not working when you have rename attribute set.

Sourcetype renaming is a search time operation that happens before field extractions. Thus Splunk will use search-time field extractions defined in [httpd-access] stanza for events that have been indexed as coming from the "access" sourcetype. Give the following props.conf stanzas (in the search head) a test run

[access]
rename = httpd-access

[httpd-access]
EXTRACT-ip = [(?P<ip>[^]]+)
EXTRACT-host = (?i)^[^,]*,d+s+(?P<host>[^ ]+)

catty · ‎10-03-2011

that work great help..! thank you very much.. FIXED!

Sourcetype cannot work with RENAME

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases