Forums: SplunkAdministration: Setting sourcetype in props.conf on a Windows server

Most (nearly all) of the information that I'm finding for using a [source:: ] statement in the props.conf to set sourcetype=something is done in non Windows syntax and I am having issues with this in Windows. I have tried a couple different variations, but basically I am looking to set a sourcetype for a file with the following naming structure:
Website_7.2.1008_9001_requests.log

The numbers between Website_ and _requests.log will be dynamic, so I need something that will account for any variation of numbers in between. I've tried this with a couple of options, neither worked:
[source::...\\logs\\Website_\d\.\d\.\d+_\d+\_\w+\.log]

[source::...*requests.log]

Is anyone able to assist?

Both of those should match your file name (assuming it's located in a folder called "logs"). A couple of things to try:

• make your regex case-insensitive:

[source::(?i)...\\logs\\Website_\d\.\d\.\d+_\d+_\w+\.log]
or
[source::(?i)...requests.log]

• if files are being forwarded and sourcetype was set on the forwarder, or if an explicit sourcetype is set in the inputs.conf for local monitors, then this won't override that. If you do need to override, you'll have to do so with a TRANSFORMS clause, but it would be better to unset it further up the line.

I tried both of these options, as well as removing the explicit sourcetype that I had set up in the inputs.conf for this monitor. I still am not able to get the sourcetype set.

Is there a shorter way to determine if my source stanza in the props.conf is working other than to make a change, restart the splunk service, wait 10 minutes and search in Splunk on that host name?

you can use the information in this topic to examine your configurations and see what's being used:

http://www.splunk.com/base/Documentation/latest/Admin/Troubleshootingconfigurations

unfortunately no results from running the btool command. It seems difficult to find Windows specific information as most syntax online and in example files is for linux systems

actually syntax in the docs was wrong (for all platforms).

it has been fixed now. Use

.\splunk cmd btool props list-debug

thanks, gkanapathy!

unfortunately, that doesn't work either. I tried another variation as well with the same results. Here is what I got:

C:\Program Files\Splunk\bin>splunk cmd btool props list-debug
Config path: C:\Program Files\Splunk\etc
Usage: btool <bundle> list [prefix]
btool <bundle> add
btool <bundle> delete [prefix] [entry]

C:\Program Files\Splunk\bin>splunk cmd btool list-debug props
Config path: C:\Program Files\Splunk\etc
Usage: btool <bundle> list [prefix]
btool <bundle> add
btool <bundle> delete [prefix] [entry]

Back to the original need in the post, what is the proper syntax for setting a sourcetype in props.conf on a Windows server? I've tried even just including the exact file name in the [source::filename] statement and it still does not work.

I'll submit a case on this.