Hello fellow Splunkers, this is my first post here!
I am trying to configure per-event source type overriding. I have edited the following files:
$SPLUNK_HOME/etc/system/local/transforms.conf:
[windows_logs]
REGEX = AgentDevice=WindowsLog
FORMAT = sourcetype::windows
DEST_KEY = MetaData:SourceType
$SPLUNK_HOME/etc/system/local/props.conf:
[source::tcp:1514]
TRANSFORMS-windows = windows_logs
After editing the files, I restarted Splunk. I am still seeing, however, messages like this:
<13>Oct 21 11:00:17 server.blah.com AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.2.984723 Source=Microsoft-Windows-Security-Auditing [snip]
source tcp:1514
sourcetype syslog
Notice that the event contains the string AgentDevice=WindowsLog
, but the sourcetype is not changed. The source type "windows" exists, I created it.
Can you help with this configuration? It could be something really simple, I'm quite new to Splunk. Thanks!
The problem was a typo in my DEST_KEY field, which is case-sensitive.
Replacing with the following line, everything works.
DEST_KEY = MetaData:Sourcetype
The problem was a typo in my DEST_KEY field, which is case-sensitive.
Replacing with the following line, everything works.
DEST_KEY = MetaData:Sourcetype