Getting Data In

Why is my props and transforms configuration not renaming a sourcetype as expected?

cmlombardo
Path Finder

Hi,

I think I have everything in place to change the sourcetype name, but something is not happening. All the other transforms are applied.

Here is my props.conf:

[iport-syslog]

TRANSFORMS-2_IronportSetSourcetype = iport_setsourcetype_mail

Here is the transforms associated:

[iport_setsourcetype_mail]
REGEX = .
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::iport_mail_test

What comes out in Splunk is the data with the original sourcetype (iport-syslog).
What am I missing?

Thank you,
Claudio

0 Karma

Rob
Splunk Employee
Splunk Employee

First things first, I would recommend restarting Splunk to make sure your configuration is loaded.

Next, you might want to try running btool or S.o.S to see what the config is that Splunk is running with.

$SPLUNK_HOME/bin/splunk cmd btool props list --debug  iport-syslog

That should help with figuring out if there are any other props.conf stanza's that could be overriding the sourcetype renaming that you are attempting.

Lastly, you can also add the sourcetype rename at search time with the rename parameter in props.conf

EDIT: One more thing, you might want to try changing the dash to an underscore in the sourcetype name. Splunk might try to change that internally and that could also be causing the transform to not hit as it could be looking for iport_syslog.

0 Karma

cmlombardo
Path Finder

Hi Rob,

I have changed the "-" to "_". Thank you for your suggestion.
I have also verified with btool that there are no overrides for iport_syslog. The only processing is done by those props/transforms.

At this point I am baffled. All the transforms I have in the file work like a charm and the events show up formatted exactly like I want them to. The sourcetype rename is not kicking in. There is something I am missing but I can't see it!

Theoretically this should work, right?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Since you're changing the sourcetype of all events, why not change in the inputs.conf on forwarders itself??

Also, you can get rid of REGEX as you want to change for all events.

0 Karma

cmlombardo
Path Finder

Hi somesoni. I am doing this because I will need, in the near future, to be able to triage those events to different sourcetypes. This is just a test to see if it works. And, obviuosly, for now it doesn't.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...