This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6
Create rules to automatically assign source types in Splunk. Use props.conf to set source typing rules.
Create a rule by adding a rule:: or delayedrule:: stanza to props.conf. Under the rule stanza, declare the name of the source type. After the source type declaration, list the rules to assign the source type. Rules are created based on a series of MORE_THAN, and LESS_THAN statements that must be matched. The statements are regular expressions that must be matched by the specified percentage of lines that match the regular expression. Any number of statements can be specified, and all statements must match in order for the source to fit the source type rule.
Add the following to $SPLUNK_HOME/etc/bundles/local/props.conf:
[rule::$RULE_NAME] OR [delayedrule::$RULE_NAME] sourcetype=$SOURCETYPE MORE_THAN = $REGEX LESS_THAN = $REGEX
Note: A rule can have many MORE_THAN and LESS_THAN patterns. All must be met in order for the rule to match.
Rules are created based on the percentage of the number of lines that contain the specified string. To match, a rule can be either MORE_THAN or LESS_THAN that percentage.
This feature applies to tail and archive inputs only.
The following examples come from $SPLUNK_HOME/etc/bundles/default.
# postfix_syslog sourcetype rule
[rule::postfix_syslog]
sourcetype = postfix_syslog
# If 80% of lines match this regex, then it must be this type
MORE_THAN_80=^\w{3} +\d+ \d\d:\d\d:\d\d .* postfix(/\w+)?\[\d+\]:
# breaks text on ascii art and blanklines if more than 10% of lines have # ascii art or blanklines, and less than 10% have timestamps [delayedrule::breakable_text] sourcetype = breakable_text MORE_THAN_10 = (^(?:---|===|\*\*\*|___|=+=))|^\s*$ LESSS_THAN_10 = [: ][012]?[0-9]:[0-5][0-9]