Databases Reference
In-Depth Information
•
[source::/logs/.../*.log]
° This matches the
source
attribute, which is usually the path to the
log where the event came from
°
*
matches a file or directory name
°
...
matches any part of a path
•
[host::*nyc*]
° This matches the
host
attribute, which is usually the value of
hostname
on a machine running Splunk Forwarder
°
*
is allowed
Precedence across types follows this order:
1.
Source.
2.
Host.
3.
Source type.
For instance, say an event has the following fields:
sourcetype=foo_type
source=/logs/abc/def/gh.log
host=dns4.nyc.mycompany.com
Given this configuration snippet and our preceding event:
[foo_type]
TZ = UTC
[source::/logs/.../*.log]
TZ = MST
[host::*nyc*]
TZ = EDT
TZ = MST
would be used during parsing, because the source stanza takes
precedence.
To extend this example, say we have this snippet:
[foo_type]
TZ = UTC
TRANSFORMS-a = from_sourcetype
[source::/logs/.../*.log]
Search WWH ::
Custom Search