Getting Data In

Sourcetype overriding works but strange

evelenke
Contributor

Hi Splunkers,

please help with the following issue:
we get logs from Tomcat server in syslog text format (single file), which is added for Monitored File Input.
There are 3 types of events in file: Access, Runtime and system (syslog).
So I have configuretd transforms:

[app-set-sourcetype_access]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::tomcat:access:log
REGEX = (access-log)

[app-set-sourcetype_runtime]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::tomcat:runtime:log
REGEX = (runtime-log)

[app-set-sourcetype_syslog]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::syslog
REGEX = (sshd\[|crond\[|\ssu\:|\skernel\:|crontab\[|anacron\[|CROND\[|Hostd\[|proftpd\[|systemd\[|systemd\:|postfix\/|sudo\[|ntpd\[|su\[|yum\[kernel\[|rsyslogd\[)

and extractions:

[host::myappserver]
TRANSFORMS-change_appSourcetype = app-set-sourcetype_access, app-set-sourcetype_syslog, app-set-sourcetype_runtime

In inputs sourcetype value for this file is:

sourcetype = tomcat:access:log

Then in Splunk I see all sourcetypes presented in a Fields tab for field sourcetype and each event has correct sourcetype mapped in the Events tab.
But when I add sourcetype=tomcat:runtime:log OR syslog to a search query, I receive nothing. Only for 1st (sourcetype=tomcat:access:log) I receive events, but events that should be mapped to syslog.

When I have only 2 sourcetypes for overriding rule everything is shown correctly.
Is it somthing known or should I change something?
Splunk Enterprise 6.6.2

0 Karma

micahkemp
Champion

Perhaps your search was all that was wrong. You had this in your question for your search:

sourcetype=tomcat:runtime:log OR syslog

You can't search like field=value OR differentvalue. Instead you would have to do:

sourcetype=tomcat:runtime:log OR sourcetype=syslog
0 Karma

p_gurav
Champion

Can you try using sourcetype in props.conf instead of host?

evelenke
Contributor

Hm, this works - now I see 2 of 3. But somehow syslog events are all now mapped to tomcat:access:log

Current props.conf

[tomcat:access:log]
TRANSFORMS-change_appSourcetype = app-set-sourcetype_syslog, app-set-sourcetype_runtime
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...