Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Better to convert all source to syslog?

michael_lee
Path Finder
‎01-16-2016 07:37 PM

Is it better to convert all log sources to syslog and then do searching in Splunk? This way is more standardised and makes search faster? Or we do not have to care about it as spunk will take care of this in an efficient way? I ask because there are many different types of log sources, namely csv, normal text, windows event logs etc..... How do make sense of them if they are not uniform?

Tags (3)
0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎01-21-2016 10:43 AM

I would say DO NOT do any conversion. Splunk's core feature is the fact that it can take data of varying formats and styles and, thanks to scheme-on-the-fly and field extraction, allow you to compare and manipulate fields that represent the same data, regardless of the format.

Transforming prior only reverts back to the ETL world and manifests dependencies.

Take advantage of what splunk does best. Over time you'll see that the format of the individual events is not important because you're manipulating fields and looking for trends and values of those fields. At that point you rarely look at the events because you use stats-type commands.

Reply

rfaircloth_splu
Splunk Employee
Splunk Employee
‎01-18-2016 09:24 PM

Conversion requires a central point to collect original data form, conversion, and then forwarding. This is index time work that is very complicated, costly in terms of latency addition and unforgiving as you can not correct errors once made. With splunk you can deal with most things at search time. For example if a data field is named "source" and you prefer src you can alias source to src so both versions will work at search time with no performance penalty.

Reply

a212830
Champion
‎01-17-2016 05:06 AM

Converting all those sources would take time... and Splunk can handle all of those other sources (some very easily), so my recommendation would be to keep the format. We use a ton of syslog, but also have lots of other types, and Splunk can handle them all.

Reply

renjith_nair
Legend
‎01-16-2016 09:01 PM

Though it's up to you how you want to push data to splunk, you really don't need to convert all your sources but what matters is sourcetype

  • The source is the name of the file, stream, or other input from which a particular event originates.

  • The sourcetype specifies the format for the event. Splunk uses this field to determine how to format the incoming data stream into individual events.Events with the same source type can come from different sources.

Since Splunk Enterprise uses the source type to decide how to format your data, it is important that you assign the correct source type to your data. That way, the indexed version of the data (the event data) looks the way you want, with appropriate timestamps and event breaks. This facilitates easier searching of the data later.

More read :

http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Whysourcetypesmatter
http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Listofpretrainedsourcetypes

Once you have indexed data with correct sourcetypes, you can use SPL to search and correlate your data.

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...