When you apply a Log to Metrics source type to an input, you can't preview the data for that input. For more information about log-to-metrics conversion and the Metrics settings, see Set up ingest-time log-to-metrics conversion in Splunk Web in the Metrics manual. If you select a source type from this category, a set of Metrics controls will appear on the left side of the Set Source Type page. The Splunk platform uses these source types for the ingest-time conversion of log events to metric data points. Source types in the Log to Metrics category are special source types. See "About the Log to Metrics source type category" later in this topic for details.įor information on source types and why they are so important, see Why source types matter.Ībout the Log to Metrics source type category Some source types, such as those in the Log to Metrics category, cannot be previewed. See Distribute source type configurations in Splunk Enterprise. If you use Splunk Enterprise, you can save any new source types to a nf configuration file that you can later distribute across the indexers in your deployment so that the source types are available globally. Modify settings for timestamps and event breaks to improve the quality of the indexed data and save the modifications as a new source type.Apply a different source type to see whether it offers more preferable results.See what your data will look like without any changes using the default event-processing configuration.You can modify the settings interactively and save those modifications as a new source type.Įnsure that you're assigning the right source type to your data by following these steps on the Set Source Type page: On the Set Source Type page, you can see how will index the data based on the application of a predefined source type. In other cases, you might need to create a new source type with customized event processing settings. In some cases, you might need to manually select a different predefined source type to the data. You can confirm that the Splunk platform indexes your data as you want it to appear using the Set Source Type page in Splunk Web.Ĭomes with many predefined source types and attempts to assign the correct source type to your data based on its format. By assigning the correct source type to your data, the indexed version of the data appears the way you want it to with correct timestamps and event breaks. The source type is one of the default fields that the Splunk platform assigns to all incoming data, and determines how the Splunk platform formats the data during indexing. |dedup id| table id priority.name asset_list.name advisory.title last_updated assigned_to.username queue.name status.name advisory_identifier cve_str_listĬan someone help me in arranging this search? Thank you.Assign the correct source types to your data sourcetype=a status.name=* queue.name="*" priority.name=* | rename advisory.advisory_identifier AS advisory_identifier | append I've also tried the append function, but it doesn't add the cve_str_list field into the fields from the other sourcetype. I've tried | stats first(criticality_description) as criticality_descriptionįirst(asset_list.name) as asset_list.nameįirst(advisory.solution_status_description) as advisory.solution_status_descriptionīut that seemed to have put the sourcetype a data into different events than the sourcetype b data. I'm uncertain how to get the rest of the fields into the search and table so they're mapped to the events from the other sourcetype. I believe I can create a new field for advisory.advisory_identifier and advisory_identifier usingĮval advisory.identifier = coalesce(advisory_identifier,advisory.advisory_identifier) From sourcetype b, I'd also like "title", "assigned_to.username". "advisory_identifier" shares the same values as sourcetype b "advisory.advisory_identifier". Sourcetype A contains the field "cve_str_list" that I want, as well as the fields "criticality_description" and "advisory_identifier". I need to join fields from 2 different sourcetypes into 1 table.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |