Splunk source types

Rather than assigning the same source type to all events from Transaction Analysis Workbench, you might prefer more granularity; more source types. Here are some methods for assigning different source types to events.

Per port

You can define a TCP input (port) for each source type.

For example, in inputs.conf:

[tcp://:6068]
# Miscellaneous z/OS events
sourcetype = fuw

[tcp://:6069]
# CICS events
sourcetype = cics

[tcp://:6070]
# DB2 events
sourcetype = db2

In props.conf, use the regex-type or operator (|) to set the same properties for all of these source types:

[fuw|cics|db2]
# Common properties for these source types

With this method, you must forward logs to the corresponding port for each source type. For instance, in this example, you must ensure that the Transaction Analysis Workbench JSON commands for the logs that are to be source type cics refer to a STREAM command for port 6069.

Per stream

If you add the following setting to your Splunk inputs.conf stanza:

requireHeader = true

then you can use the HEADER parameter of the Transaction Analysis Workbench STREAM command to send a header line that overrides the source type for events sent in the subsequent JSON Lines.

For example:

STREAM NAME(SPLUNK) +
       HEADER(***SPLUNK*** sourcetype=cics)

Per event

You can use transforms in Splunk to override the source type per event.

Each line of JSON Lines from Transaction Analysis Workbench contains a type field that identifies the log type and code of the original log record. You can use this field to set the Splunk source type.

For example, in props.conf, append the following line to the stanza for the corresponding source type or input:

TRANSFORMS-changesourcetype = set_sourcetype_fuw

and add the following stanza to transforms.conf:

[set_sourcetype_fuw]
# Set sourcetype to type field in JSON from FUW
REGEX = \"type\":\"([^\"]+)\"
FORMAT = sourcetype::$1
DEST_KEY = MetaData:Sourcetype