Hi Splunkers,
please help with the following issue:
we get logs from Tomcat server in syslog text format (single file), which is added for Monitored File Input.
There are 3 types of events in file: Access, Runtime and system (syslog).
So I have configuretd transforms:
[app-set-sourcetype_access]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::tomcat:access:log
REGEX = (access-log)
[app-set-sourcetype_runtime]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::tomcat:runtime:log
REGEX = (runtime-log)
[app-set-sourcetype_syslog]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::syslog
REGEX = (sshd\[|crond\[|\ssu\:|\skernel\:|crontab\[|anacron\[|CROND\[|Hostd\[|proftpd\[|systemd\[|systemd\:|postfix\/|sudo\[|ntpd\[|su\[|yum\[kernel\[|rsyslogd\[)
and extractions:
[host::myappserver]
TRANSFORMS-change_appSourcetype = app-set-sourcetype_access, app-set-sourcetype_syslog, app-set-sourcetype_runtime
In inputs sourcetype value for this file is:
sourcetype = tomcat:access:log
Then in Splunk I see all sourcetypes presented in a Fields tab for field sourcetype and each event has correct sourcetype mapped in the Events tab.
But when I add sourcetype=tomcat:runtime:log OR syslog to a search query, I receive nothing. Only for 1st (sourcetype=tomcat:access:log) I receive events, but events that should be mapped to syslog.
When I have only 2 sourcetypes for overriding rule everything is shown correctly.
Is it somthing known or should I change something?
Splunk Enterprise 6.6.2
Perhaps your search was all that was wrong. You had this in your question for your search:
sourcetype=tomcat:runtime:log OR syslog
You can't search like field=value OR differentvalue
. Instead you would have to do:
sourcetype=tomcat:runtime:log OR sourcetype=syslog
Can you try using sourcetype in props.conf instead of host?
Hm, this works - now I see 2 of 3. But somehow syslog events are all now mapped to tomcat:access:log
Current props.conf
[tomcat:access:log]
TRANSFORMS-change_appSourcetype = app-set-sourcetype_syslog, app-set-sourcetype_runtime