- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why it changes the sourcetype for all sourcetype
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why it changes the sourcetype for all sourcetype
I am trying to change the sourcetype of all events that are not from sourcetype starting with xyz. I am using following configuration
transforms.conf
[changeSourcetype]
SOURCE_KEY = MetaData:Sourcetype
REGEX = ^(?!xyz).+
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::wrong:sourcetype
props.conf
[default]
TRANSFORMS-changesourcetype=changeSourcetype
The above changes all the sourcetypes to wrong:sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the test I made for your use case.
I just didn't use the sourcetype as SOURCE_KEY. Instead, I;m using _raw for simplicity in the mock up construction:
inputs.conf
[monitor::///home/tiago/Desktop/test.txt]
index=xyz
sourcetype=xyz
props.conf
[xyz]
TRANSFORMS-xyz = override_xyz
DATETIME_CONFIG =
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
transforms.conf
[override_xyz]
REGEX=^(?!xyz).+
SOURCE_KEY = _raw
DEST_KEY= MetaData:Sourcetype
FORMAT= sourcetype::overriden_sourcetype
Here is my testfile:
aqwdqwd
asdq
aaaxyz
xyz
And here are the results
3/19/18 1:01:17.000 PM
xyz
host = tiagoubuntu source = /home/tiago/Desktop/test.txt sourcetype = xyz
3/19/18 1:01:10.000 PM
aaaxyz
host = tiagoubuntu source = /home/tiago/Desktop/test.txt sourcetype = overriden_sourcetype
3/19/18 1:01:02.000 PM
asdq
host = tiagoubuntu source = /home/tiago/Desktop/test.txt sourcetype = overriden_sourcetype
3/19/18 1:00:51.000 PM
aqwdqwd
host = tiagoubuntu source = /home/tiago/Desktop/test.txt sourcetype = overriden_sourcetype
So my diagnose is your problem is not the regex itself, but probably the value you are having in your sourcetype at first.
Can you make a similar test to this one and give me feedback?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @tiagofbmm it's helpful but still didn't solve my problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check if your regex is PCRE compliant to match want you want
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply, looks like it is PCRE compliant
https://regex101.com/r/eMo07d/1
The weird part is when I change it to filter sourcetype starts with xyz ^(xyz).+, it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree it should work according to regex101. Another point here is why the negative lookup? Wouldn't a straightforward regex match what you desire?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to change the sourcetype of an event if it's not starting with xyz. If there any other way I can achieve this, I'll be happy to do this?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
