Getting Data In

Why is one transform overriding the other with my current configuration?

michael_sleep
Communicator

Hey there, I have the following in my props.conf file:

[tomcat-appl]
TRANSFORMS-set = createsource, instance

This takes a monitored folder I have (with a dozen or log files) all set to the sourcetype 'tomcat-appl' and runs them through these transforms:

[instance]
SOURCE_KEY = MetaData:Source
REGEX = ^[^\-\n]*\-(?P<instance>\w+)

[createsource]
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY = MetaData:Source
REGEX = ^(?:[^\\\n]*\\){3}([^\.]+)
FORMAT = sourcetype::$1
WRITE_META = true

The 'instance' transform indexes a field called 'instance' which is parsed out of the file path the log file comes from. This transform was working fine and in searches a new 'instance' field showed up with all of the expected extractions... once I added 'createsource' then instance stopped working... though createsource works fine, createsource makes each input have a sourcetype of their filename.

For some reason, instance will not work when createsource is running and I haven't been able to figure out why. It doesn't seem to matter which order I list them in. I thought maybe createsource was switching the sourcetype and causing it not to run instance but even if I define props/transforms for the new sourcetype it still doesn't work... so I'm not entirely sure what's going on. Any suggestions?

Edit:
I should mention that we have a distributed environment where it goes Universal Forwarder > Heavy forwarder > Indexer. I have set all of these props and transforms on the heavy forwarder and they both have worked individually, but not together.

0 Karma

landen99
Motivator

The short answer is that you changed the sourcetype before your [instance] transform could operate on it.  I get that this question was first asked 6 years ago, but hopefully this answer reveals similar issues that others may be encountering.

Transforms are applied in alphabetical order by the props name and in the order set in each transforms call.

The order set lists createsource first and instance second:

[tomcat-appl]
TRANSFORMS-set = createsource, instance

So, [createsource] changes the sourcetype so that the data no longer matches "tomcat-appl" for [instance] to apply to it.

Listing the props transforms calls separately follows the props name rule, where props are called in alphabetical order by prop names:

[tomcat-appl]
TRANSFORMS-instance_set = instance
TRANSFORMS-createsource_set = createsource

[createsource] starts with a "c", which is before the "i" of [instance].  So [createsource] applies first and changes the sourcetype so that [instance] cannot apply to the data (different sourcetype now).

0 Karma

lguinn2
Legend

Okay, after re-reading the original question twice, I wonder if it would make a difference if you did this

 [tomcat-appl]
 TRANSFORMS-set =instance,createsource

I know you said you tried it, but just asking. You are correct that the order of the transforms in the TRANSFORMS-set statement makes a difference. The transforms are executed in the order that they are listed.

Also, I wonder if you could do the createsource on the HF and the instance transform on the indexer. I am not at all sure that this would work, but it might be worth a try. Of course, you would need a different props.conf attribute to invoke the instance transform, since all the sourcetypes would have changed at that point.

(P.S. - being an instructor doesn't make me right - I wish!)

0 Karma

michael_sleep
Communicator

I had tried that previously and it didn't have an effect. I had also tried it on the indexer but that didn't work (I didn't expect it to because the heavy forwarder does it before it reaches the indexer). I probably won't ever know what that wasn't working because I 'fixed' it with a search-time extraction for the 'instance' transform I was doing previously. Some definite oddness there.

0 Karma

lguinn2
Legend

Good! A search time field extract is preferable for this case.

0 Karma

lguinn2
Legend

There are several factors that can affect how the transforms execute.

First, transforms are invoked from props.conf - and order of execution can depend on several things, including the class that you gave to the TRANSFORMS statement. But it doesn't depend on the order in which the stanzas appear in transforms.conf

TRANSFORMS-<class> = transforms_stanza_name

It's a long read, but it is always profitable to study props.conf.spec; I learn something every time I read it, and I have read it many times.

And as @meenal901 mentioned, you could also have precedence issues. Again, these can arise in props.conf, as well as transforms.conf. Here is the documentation on btool - and a couple of examples that may help:

splunk cmd btool props list --debug | more
splunk cmd btool transforms list --debug | more
0 Karma

michael_sleep
Communicator

Will look into using btool... I don't have any reason to believe the order something appears in the transforms.conf file would affect precedence but the order of the inline TRANSFORMS- = transform1, transform2, transform3 is something I've wondered about.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Michael, fyi lguinn is a Splunk instructor. If she says the order of precedence matters it matters. I'm willing to back her on this one because it's true. You're just setting user configurable variables in conf files. When the developer codes he/she says take the last value for this variable you find in this conf file.

Order of precedence matters.

0 Karma

michael_sleep
Communicator

You misinterpreted my comment, which was a reply to her original misinterpretation. I was saying the order of the -stanzas- in the transform.conf file doesn't matter, which was what was talking about:

"it doesn't depend on the order in which the stanzas appear in transforms.conf"

0 Karma

lguinn2
Legend

Yes, overall this discussion is headed in the right direction. When there are multiple TRANSFORM- statements in props.conf, it is my understanding that they are executed in ASCII order of the <class> name, not the stanza name.

0 Karma

jkat54
SplunkTrust
SplunkTrust

As a side note, some props and transforms happen on the universal forwarder. I'm curious what happens when you deploy the props and transforms to the uf. There are some lists that show what happens where but it's easier for me to ask you to test...

0 Karma

michael_sleep
Communicator

These happen during the parsing phase on the heavy forwarder, not on the universal forwarder.

meenal901
Communicator

Configuration file precedence might be your problem here. Search for stanza "createsource" in all transforms.conf (etc/apps, etc/system/local, etc/users) some file is overriding your settings.

0 Karma

michael_sleep
Communicator

There are no other configurations for that transform.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...