Databases Reference
In-Depth Information
To flatten this value, we could use a stanza like this:
[myapp_flatten_source]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Source
REGEX = (.*session_).*.log
FORMAT = source::$1x.log
This would set the value of
source
to
/logs/myapp.session_x.log
, which would
eliminate our growing source problem.
If the value of
session
is useful, the transform in the
Creating a session field from
source
section could be run before this transform to capture the value. Likewise,
a transform could capture the entire value of
source
and place it into a different
metadata field.
A huge number of logfiles on a filesystem introduces a few problems,
including running out of inodes and the memory used by the Splunk
process tracking all of the files. As a general rule, a cleanup process
should be designed to archive older logs.
Overriding sourcetype
It is not uncommon to change the
sourcetype
field of an event based on the contents
of the event, particularly from syslog. In our fictitious example, we want a different
source type for events that contain
[MBX]
after the log level so that we can apply
different extracts to these events. The following examples will do this work:
[mbx_sourcetype]
DEST_KEY = MetaData:Sourcetype
REGEX = \d+\s[A-Z]+\s\([MBX\])
FORMAT = sourcetype::mbx
Use this functionality carefully as it easy to go conceptually wrong, and this is
difficult to fix later.
Routing events to a different index
At times, you may want to send events to a different index, either because they need
to live longer than other events or because they contain sensitive information that
should not be seen by all users. This can be applied to any type of event from any
source, be it a file, network, or script.
Search WWH ::
Custom Search