Getting Data In

How to execute TRANSFORMS by source name in props.conf?

chrisboy68
Contributor

Hi,

Given the below:

inputs.conf

[monitor://\\MyServer\MyFolder]
disabled = false
host = MyServer
index = MyIndex
sourcetype = MySourceType
ignoreOlderThan = 2d
recursive = false
whitelist = (MyLog1\d+-\d+\.txt)|(MyLog2\d+-\d+\.txt)

props.conf

[MySourceType]
TRANSFORMS-trash = badError, badError2
BREAK_ONLY_BEFORE_DATE = TRUE
SHOULD_LINEMERGE = TRUE
TIME_FORMAT = %m/%d/%Y %T
TRUNCATE = 0
MAX_DAYS_AGO = 2
sourcetype = MySourceType


[source::.../\\Myfolder\\MyLog2*.txt]
TRANSFORMS-removejunk = setnull , setparsing

[source::..../MyServer\\MyFolder\\MyLog2*.txt]
TRANSFORMS-removejunk = setnull , setparsing


[source::\\\\MyServer\MyFolder\MyLog2*.txt]
TRANSFORMS-removejunk = setnull , setparsing

I'm trying to have a transform just for one of the log files (MyLog2) in the white list. The file is a UNC path and I have tried the 3 naming entries and nothing works. I use setnull and setparsing elsewhere so I know they function properly.

Is there a way to do this by source?

I have a workaround by creating a separate stanza just for this file, but it would be less configuration to be able to use the white list and execute a transform by source name.

Thank you,

Chris

0 Karma

maraman_splunk
Splunk Employee
Splunk Employee

are you on a single full instance or in a distributed architecture with some forwarders ?
In the second case, your settings may not be deployed on the correct instance.

0 Karma

chrisboy68
Contributor

Single. No forwarders.

Thanks for trying to help.

Chris

0 Karma

lguinn2
Legend

I think that the problem is definitely in your source:: spec. And I believe that it should be

[source::\\\\MyServer\\MyFolder\\MyLog2*.txt]

You might want to review the props.conf Global Settings
I learn something new every time I read the props.conf documentation!

0 Karma

chrisboy68
Contributor

Thanks. I just tried :
[source::\\MyServer\MyFolder\MyLog2*.txt]
Still no go. Maybe I'm missing something in reading the props.conf docs...

Chris

0 Karma

lguinn2
Legend

Have you checked the file $SPLUNK_HOME/var/log/splunk/splunkd.log for any warnings or errors?
Also, just running $SPLUNK_HOME/bin/splunk btool check might also turn up something.

I'm running low on ideas...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...