configuring sourcetype with props transforms and i...

woodchuck · ‎08-06-2010

hello everyone,

I know there are many similar posts to this, and i have read a lot but i cant seem to get it to work.

I am trying to manually change the sourcetype. I have a LWF and a indexer. im trying to change my iptables logs sourcetype to "iptables". i've tried several different things. I probably have several things wrong, if someone could point me in the right direction or tell me exactly what to do that would be great. here is some stuff I have at the moment.

on my LWF:

inputs.conf:

[monitor:///var/log/kern.log]
sourcetype = test

[monitor:///var/log/syslog]
sourcetype = test

on my indexer:

props.conf:

[test]

REPORT-iptables = iptables

-also tried TRANSFORMS

transforms.conf:

[iptables]

DEST_KEY = MetaData:sourcetype
REGEX = \bIN\w*\b.*\bTCP\b
FORMAT = sourcetype::sourcetype

all my iptables logs have either INBOUND TCP or INPUT TCP, im trying to use an easy regex, as i havent used it before.

here is an example of a log:

Aug  6 10:50:03 VM2 kernel: [ 9468.989438]  INBOUND TCP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:c0:00:08:08:00 SRC=192.168.232.1 DST=192.168.232.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=UDP SPT=138 DPT=138 LEN=209

if there is something i didn't post that would be helpful let me know.

Thanks!

Stephen_Sorkin · ‎08-08-2010

There are two issues here:

In props.conf, an index time transformation should be TRANSFORMS-iptables = iptables as opposed to REPORT-.
In transforms.conf, the correct DEST_KEY, according to $SPLUNK_HOME/etc/system/README/transforms.conf.spec is MetaData:Sourcetype.

woodchuck · ‎08-09-2010

thanks, its seems to work now!

configuring sourcetype with props transforms and inputs

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!