I am attempting to override the sourcetype of an event that is coming in on UDP:516 based on the host address but I haven't had any success. This is what I have so far.
props.conf
[source::UDP:516]
TRANSFORMS = transSnort
transforms.conf
[transSnort]
REGEX="10.41.140.151"
FORMAT= sourcetype::snort
DEST_KEY = MetaData:Sourcetype
Any ideas what I am doing wrong?
You will also want to qualify the IP address of the incoming remote host as a RegEx. Examples below.
In transforms.conf create a stanza for this regex rule that sets the metadata property for indexing or sourcetype.
The metdata config setting for sourcetype is:
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::networkdata:appliancename
The metadata config setting for index is:
DEST_KEY = _MetaData:Index
FORMAT = index::myindexname
Put the ip address list of similar sources together.
Then in props.conf reference this label.
Distribute this configuration to all tiers of Splunk deployment (Forwarding, Indexing, and Search)
See:
http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Transformsconf
####### props.conf
[source::UDP:514]
TRANSFORMS = syslog_mydatasoureytpe
####### transforms.conf
### Note: You should escape your periods in the IP address too
### so you don't accidentally match 10a31b20c19
### (couldn't format post to show that. .)
# one ip address exactly
[syslog_mydatasoureytpe]
DEST_KEY = MetaData:Sourcetype
DEST_KEY = _MetaData:Index
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)[?(10.0.0.5)[\w.-]]?\s
FORMAT = sourcetype::mydatasourcetype
FORMAT = index::myindexname
# two ip addresses
[syslog_mydatasoureytpe]
DEST_KEY = MetaData:Sourcetype
DEST_KEY = _MetaData:Index
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)[?(10.0.0.5|10.0.0.6)[\w.-]]?\s
FORMAT = sourcetype::mydatasourcetype
FORMAT = index::myindexname
# a range of IP addresses .10-.19
[syslog_mydatasoureytpe]
DEST_KEY = MetaData:Sourcetype
DEST_KEY = _MetaData:Index
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)[?(10.0.0.1\d)[\w.-]]?\s
FORMAT = sourcetype::mydatasourcetype
FORMAT = index::myindexname
First, you don't have an identifier for your TRANSFORMS directive. I honestly do not know what behaviour this causes in Splunk - you should use an identifier (for instance "TRANSFORMS-transsnort").
Second, you've put the IP number within quotes - Splunk will match everything that follows REGEX=, including the quotes, so that's a very likely reason why it's not working.