Getting Data In

Why is per-event sourcetype override not working with my current props.conf and transforms.conf configuration?

dannestor
Explorer

Hello fellow Splunkers, this is my first post here!

I am trying to configure per-event source type overriding. I have edited the following files:

$SPLUNK_HOME/etc/system/local/transforms.conf:

[windows_logs]
REGEX = AgentDevice=WindowsLog
FORMAT = sourcetype::windows
DEST_KEY = MetaData:SourceType

$SPLUNK_HOME/etc/system/local/props.conf:

[source::tcp:1514]
TRANSFORMS-windows = windows_logs

After editing the files, I restarted Splunk. I am still seeing, however, messages like this:

<13>Oct 21 11:00:17 server.blah.com AgentDevice=WindowsLog  AgentLogFile=Security   PluginVersion=7.2.2.984723  Source=Microsoft-Windows-Security-Auditing  [snip]
source tcp:1514 
sourcetype syslog   

Notice that the event contains the string AgentDevice=WindowsLog, but the sourcetype is not changed. The source type "windows" exists, I created it.

Can you help with this configuration? It could be something really simple, I'm quite new to Splunk. Thanks!

0 Karma
1 Solution

dannestor
Explorer

The problem was a typo in my DEST_KEY field, which is case-sensitive.
Replacing with the following line, everything works.

DEST_KEY = MetaData:Sourcetype

View solution in original post

dannestor
Explorer

The problem was a typo in my DEST_KEY field, which is case-sensitive.
Replacing with the following line, everything works.

DEST_KEY = MetaData:Sourcetype
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...