I'm building a Splunk App and I'd like my users to be able to point the import a single folder and have it accurately import each type of IRC log. However, Even with a well defined source type of:
[ZNC]
pulldown_type = true
category = IRC
LINE_BREAKER = \r{0,1}\n
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 15
EXTRACT-baseinfo = (?P\w+)[\\\/](?P\w+)[\\\/](?P#.+)[\\\/](?:.+\.log) in source
EXTRACT-IRCmessage = (?:\[.+\]) <(?P.+)> (?P.+)
EXTRACT-userjoinquitpart = (\*\*\*) (?P.+): (?P.+) \((?P.+)@(?P.+?)\)( \((?P.+?)\)){0,1}
EXTRACT-topic = \*\*\* (?P.+? ).+? (?P.+?) to (?P\'.+')
EXTRACT-kicked = \*\*\* (?P.+?) was (?P.+? )by (?P.+?) \((?P.+)\)
LOOKUP-IRC_actions = EventLookup action AS event OUTPUT IRCevent as event
It will still randomly pickup partial dates as the source type. I've read about a field where you can specify source file regex for each sourcetype, but several of my planned source types have identical naming schemes.
So, What can I do to give hints to the autotyper that this is type A vs type B?
↧