Splunk Search

Search by sourcetype returns no results

bmaupin
Explorer

I'm indexing some syslog data from UDP. I'm using a transform on the data to set the sourcetype of data from certain hosts like this:

[vmware_set_sourcetype]
SOURCE_KEY=MetaData:Host
DEST_KEY=MetaData:Sourcetype
REGEX=^host::vmware-\d+.example.com$
FORMAT=vmware_syslog

That works just fine. When I do a search by host, I see the data as expected, and the sourcetype is vmware_syslog. So, for example, this search returns 30,399 results:

host=vmware-* earliest=-10m

This search, however, returns none:

sourcetype=vmware_syslog earliest=-10m

It's strange, because on my search homepage, I can page through the source types, find vmware_syslog, and click on it to do a search, but I still get no results.

I just want to make sure I'm not missing something before I file a support case.

Tags (2)
1 Solution

bmaupin
Explorer

I went ahead and filed a support request, and turns out this is a bug after all. The splunk folks gave me this search as a workaround:

index="vmware" | search sourcetype=vmware_syslog earliest=-10m

Edit:
Apparently this isn't a bug and I was doing it wrong. The format should have had sourcetype:: prepended to it. So the transform stanza should have looked like this:

[vmware_set_sourcetype]
SOURCE_KEY=MetaData:Host
DEST_KEY=MetaData:Sourcetype
REGEX=^host::vmware-\d+.example.com$
FORMAT=sourcetype::vmware_syslog

View solution in original post

bmaupin
Explorer

I went ahead and filed a support request, and turns out this is a bug after all. The splunk folks gave me this search as a workaround:

index="vmware" | search sourcetype=vmware_syslog earliest=-10m

Edit:
Apparently this isn't a bug and I was doing it wrong. The format should have had sourcetype:: prepended to it. So the transform stanza should have looked like this:

[vmware_set_sourcetype]
SOURCE_KEY=MetaData:Host
DEST_KEY=MetaData:Sourcetype
REGEX=^host::vmware-\d+.example.com$
FORMAT=sourcetype::vmware_syslog

Ron_Naken
Splunk Employee
Splunk Employee

What is the count for your sourcetype vmware_syslog on the summary page? 0?

Judging by your host=vmware-* search that returns results, your REGEX won't match any of your events. Unless you plan to use some value that will be extracted by the REGEX as a part of your sourcetype, then you should use sourcetype= in props.conf, instead of your stanza in transforms.conf.

PROPS.CONF:

[source:://...mystuff...]
sourcetype=vmware_syslog

P.S. It looks like host:: does not belong in your REGEX -- probably a mixup from the FORMAT clause where that syntax is often used. I would scrap the transforms.conf config and just use props.conf for this.

bmaupin
Explorer

The count for sourcetype vmware_syslog on the summary page is 126,675,534. If it were 0, then I wouldn't have expected any results when I clicked on it 😉

..which also indicates the regex works fine, host:: and all. I got the idea from here:

http://answers.splunk.com/questions/7125/sending-to-different-index-based-on-host-from-syslog-stream...

I'm already using sourcetype= in props.conf to set the sourcetype of most of the data coming into this UDP listener. I need to set data from other servers as a separate sourcetype, but I can't send it to a separate port.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...