sourcetype not getting overridden

abhayneilam · ‎04-25-2018

I have an inputs.conf
[monitor:///tmp/a.txt]
index=a
sourcetype=AA

Now,I want to over write the sourcetype in HF as mentioned in the Splunk docs.
props.conf
[source::/tmp/a.txt]
SHOUlD_LINEMERGE=false
sourcetype=BB

But, my sourcetype is not getting over written, I am getting the same sourcetype as AA in my IDX server. How to correct it

somesoni2 · ‎04-25-2018

You'd have to use the transforms to update the sourcetype metadata, like this

props.conf

[source::/tmp/a.txt]
SHOUlD_LINEMERGE=false
TRANSFORMS-overridest = override_st

transforms.conf

[override_st]
REGEX = .
FORMAT = sourcetype::BB
DEST_KEY = MetaData:Sourcetype

This will be your reference Splunk documentation for the same: http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Advancedsourcetypeoverrides

abhayneilam · ‎04-25-2018

Do I have to make it HF ? or IDX ? ...

somesoni2 · ‎04-25-2018

Whichever comes first in data from source. Generally if you're using HF, before index, set this up in HF. A restart of splunkd service would be required and it'd only affect the new events that come after you set this up.

abhayneilam · ‎04-25-2018

If I have UF---HF---IDX then ?

somesoni2 · ‎04-25-2018

Still in HF (first Splunk Enterprise instance in the flow, after UF first Splunk Enterprise instance is HF, so HF).

abhayneilam · ‎04-26-2018

No , it is not working .

sourcetype is not getting renamed in HF. But If I do in IDX it is working ..

sourcetype not getting overridden

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases