- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- props.conf cant figure source
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have enabled content based routing in my environment; consisting of a lightweight forwarder (A) & a splunk server (B).
I have set REGEX on server side (B) to filter out logs I dont want from a file monitored on A. I want to filter out events that match my REGEX & index them to index sis & drop events that dont match by sending them to nullQueue.
Also I guess since I already mentioned index in transforms.conf I dont need to configure anything in outputs.conf
However i cant seem to figure out what to set as source i.e in props.conf
I have set the receiver on B as 8001. i.e. splunkserver:8001 How do I set this in my props.conf??
props.conf
['what do i set here?']
TRANSFORMS-routing3 = shell,others
transforms.conf
[shell]
REGEX= .*([Ss][Ii])
DEST_KEY=_MetaData:Index
FORMAT= sis
[others]
REGEX=^((?![Ss][Ii])).)*$
DEST_KEY=queue
FORMAT=nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The easiest way to do it would be to specify a sourcetype name in inputs.conf on your lightweight forwarder. Just add sourcetype=myshellstuff to the stanza you're using for watching this particular data. Then you can change ['what do i set here?'] to [myshellstuff].
['what do i set here?'] can be lots of stuff though. Check out http://www.splunk.com/base/Documentation/latest/Admin/Propsconf for more info; specifically the section on about []. It's right at the top, and it has a list of all the stuff can be.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For reference :
====inputs.conf on LightWeight Forwarder side:
[monitor://D:\LOGS\Sis102010.txt ] sourcetype= src_Si
====props.conf on Indexer side:
[src_Si]
TRANSFORMS-routing3 = shell,others
====transforms.conf
Same as before
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The easiest way to do it would be to specify a sourcetype name in inputs.conf on your lightweight forwarder. Just add sourcetype=myshellstuff to the stanza you're using for watching this particular data. Then you can change ['what do i set here?'] to [myshellstuff].
['what do i set here?'] can be lots of stuff though. Check out http://www.splunk.com/base/Documentation/latest/Admin/Propsconf for more info; specifically the section on about []. It's right at the top, and it has a list of all the stuff can be.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved!! Thanks CarlS 🙂
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
