Documentation > Splunk > Admin Manual > Rule-based association of source types

Admin Manual

 


About the Splunk Admin Manual
How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Alerts
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

Rule-based association of source types

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Rule-based association of source types

Create rules to automatically assign source types in Splunk. Use props.conf to set source typing rules. Edit props.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.


Configuration

Create a rule by adding a rule:: or delayedrule:: stanza to props.conf. Under the rule stanza, declare the name of the source type. After the source type declaration, list the rules to assign the source type. Rules are created based on a series of MORE_THAN, and LESS_THAN statements that must be matched. The statements are regular expressions that must be matched by the specified percentage of lines that match the regular expression. Any number of statements can be specified, and all statements must match in order for the source to fit the source type rule.

Add the following to $SPLUNK_HOME/etc/system/local/props.conf: 

[rule::$RULE_NAME] OR [delayedrule::$RULE_NAME]
sourcetype=$SOURCETYPE
MORE_THAN = $REGEX
LESS_THAN = $REGEX

Note: A rule can have many MORE_THAN and LESS_THAN patterns. All must be met in order for the rule to match.

Rules are created based on the percentage of the number of lines that contain the specified string. To match, a rule can be either MORE_THAN or LESS_THAN that percentage.


Examples

The following examples come from $SPLUNK_HOME/etc/system/default.

postfix syslog files 

# postfix_syslog sourcetype rule
[rule::postfix_syslog]
sourcetype = postfix_syslog
# If 80% of lines match this regex, then it must be this type
MORE_THAN_80=^\w{3} +\d+ \d\d:\d\d:\d\d .* postfix(/\w+)?\[\d+\]:

delayed rule for breakable text 

# breaks text on ascii art and blanklines if more than 10% of lines have
# ascii art or blanklines, and less than 10% have timestamps
[delayedrule::breakable_text]
sourcetype = breakable_text
MORE_THAN_10 = (^(?:---|===|\*\*\*|___|=+=))|^\s*$
LESSS_THAN_10 = [: ][012]?[0-9]:[0-5][0-9]
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.4.1/Admin/RulebasedAssociationOfSourceTypes"

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.