Documentation > Splunk > Admin Manual > Rule-based association of sourcetypes

Admin Manual

 


Getting Started
How Splunk Works
Configuring a Splunk Deployment
Data Inputs
Hosts
Source Types
Timestamp Recognition
Events
Event Types
Meta Events
Fields
Segmentation
Saved Searches and Alerts
Authentication
Granular Access Control
Data Distribution
Distributed Search
Deployment Server
Index Management
Bundles
SplunkBase
Performance Tuning
Routine Maintenance
How-To
Troubleshooting
Reference

Rule-based association of sourcetypes

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Rule-based association of sourcetypes

You can create rules to automatically assign source types in Splunk. Use props.conf to set source typing rules.


Source type precedence

Splunk associates source types using the following precedence:


  1. Explicit specification of sourcetype per source by creating a stanza in props.conf: 
[$SOURCE] 
sourcetype=$SOURCETYPE
  1. Rule-based association of sourcetypes:
  1. Intelligent document matching:
  1. Delayed rules:
  1. New learned sourcetype creation:

Configuration

A rule is created by adding a rule:: or delayedrule:: stanza to props.conf. Under the rule stanza, declare the name of the source type. After the source type declaration, list the rules to assign the source type. Rules are created based on a series of MORE_THAN, and LESS_THAN statements that must be matched. The statements are regular expressions that must be matched by the specified percentage of lines that match the regular expression. Any number of statements can be specified, and all statements must match in order for the source to fit the source type rule.


Add the following to $SPLUNK_HOME/etc/bundles/local/props.conf: 


[rule::$RULE_NAME] OR [delayedrule::$RULE_NAME]
sourcetype=$SOURCETYPE
MORE_THAN = $REGEX
LESS_THAN = $REGEX

Please note: A rule can have many MORE_THAN and LESS_THAN patterns, and all are required for the rule to match.


Rules are created based on the percentage of the number of lines that contain the specified string. To match, a rule can be either MORE_THAN or LESS_THAN that percentage.


Examples

The following examples come from $SPLUNK_HOME/etc/bundles/default.


postfix syslog files 

# postfix_syslog sourcetype rule
[rule::postfix_syslog]
sourcetype = postfix_syslog
# If 80% of lines match this regex, then it must be this type
MORE_THAN_80=^\w{3} +\d+ \d\d:\d\d:\d\d .* postfix(/\w+)?\[\d+\]:

delayed rule for breakable text 

# breaks text on ascii art and blanklines if more than 10% of lines have
# ascii art or blanklines, and less than 10% have timestamps
[delayedrule::breakable_text]
sourcetype = breakable_text
MORE_THAN_10 = (^(?:---|===|\*\*\*|___|=+=))|^\s*$
LESSS_THAN_10 = [: ][012]?[0-9]:[0-5][0-9]
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.1.4/Admin/RulebasedAssociationOfSourcetypes"

This documentation applies to the following versions of Splunk: 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!