Getting Data In

Why does searching absolute sourcetype name requires a wildcard?

okheggdal
Explorer

I have configured props.conf and transforms.conf on a Heavy Forwarder in order to split an existing sourcetype into sub categories. I have utilized what appears to be the general convention for naming layers in sourcetypes ie: a:b:c:d.

Now, the sourcetype I am splitting is a:b which are generating a:b:c and a:b:c:d. Everything is working fine and I am getting the data into the indexes and the formatting is perfect. What is bothering me is that in order to search for the a:b:c and a:b:c:d source I have to use a trailing wilcard. As a:b:c and a:b:c:d each contain quite a bit of data I would like to look at either or.

Its in no way a show-stopper but I would just like to check if I have missed something with regards to the config or if this is just the way it is.

props.conf

[a:b]
TRANSFORMS-changeSourceType = set:a:b:c, set:a:b:c:d
BREAK_ONLY_BEFORE = (%)|(VOIP_CALL_STATISTICS)

transforms.conf

[set:a:b:c]
DEST_KEY = MetaData:Sourcetype
REGEX = (%VOIP)
FORMAT = a:b:c

[set:a:b:c:d]
DEST_KEY = MetaData:Sourcetype
REGEX = (VOIP_CALL_STATISTICS)|(DSP)
FORMAT = a:b:c:d

Edit:

After some further investigations it gets even stranger where I have to include a search word in order for data to displayed in addition to the trailing wildcard:

index=something sourcetype=a:b:c:d* gives no results. index=something sourcetype=a:b:c:d* foo gives results containing foo.

I forgot to mention I am running version 6.5.0.

0 Karma
1 Solution

christeraustad
Explorer

Hi,

You need to prepend sourcetype:: in the FORMAT value.

[set:a:b:c]
DEST_KEY = MetaData:Sourcetype
REGEX = (%VOIP)
FORMAT = sourcetype::a:b:c

[set:a:b:c:d]
DEST_KEY = MetaData:Sourcetype
REGEX = (VOIP_CALL_STATISTICS)|(DSP)
FORMAT = sourcetype::a:b:c:d

View solution in original post

0 Karma

christeraustad
Explorer

Hi,

You need to prepend sourcetype:: in the FORMAT value.

[set:a:b:c]
DEST_KEY = MetaData:Sourcetype
REGEX = (%VOIP)
FORMAT = sourcetype::a:b:c

[set:a:b:c:d]
DEST_KEY = MetaData:Sourcetype
REGEX = (VOIP_CALL_STATISTICS)|(DSP)
FORMAT = sourcetype::a:b:c:d
0 Karma

xpac
SplunkTrust
SplunkTrust

Just to get it right - you don't get data when searching for sourcetype=a:b:c, but it works with sourcetype=a:b:c*?

0 Karma

okheggdal
Explorer

Yes, that is correct. Edit to make a bit more clear. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...