Splunk Search

Why are my props/transforms not taking effect?

ajhstn
Explorer

Hello, i have a single Splunk Enterprise instance with a 9997 listener. I have a single Windows Server with a UF forwarding data to the Splunk Enterprise. This is all good; data is being forwarded as expected.

I am now trying to make a few props.conf changes to the data, but none of my configuration seems to make any difference, when i go look in the Splunk Enterprise search app.

Here in props.conf i a, trying to transform the host, set the timezone to Sydney and set the event time.

[WinEventLog:*]
TRANSFORMS-change_host = WinEventHostOverride
TZ = Australia/Sydney
DATETIME_CONFIG = CURRENT

Here in transforms.conf is my host overide block;

[WinEventHostOverride]
DEST_KEY = MetaData:Host
REGEX = (?m)^ComputerName=([\S]*)
FORMAT = host::$1

On every change i make, i have performed a splunk.exe restart on the UF host. However, nothing appears to change in my index.

Here is a sample from my index.

  • As you can see the Time field is UTC, but i want the time in the actual Event to be the Time.
  • The host field is not transforming to the correct ComputerName field in the event.

alt text

Using Answers from other questions, i used the following search query to "test" the regex and it appears to work, so i am confused why it doesn't work.

index=* | head 1 | eval testdata="ComputerName=ahslc01p" | regex testdata="(?m)^ComputerName=([\S]*)" | stats count
Tags (2)
0 Karma

ajhstn
Explorer

Thanks to both of you. The Wiki article is invaluable, and should be re-incorporated into official documentation.

0 Karma

MuS
SplunkTrust
SplunkTrust

A two things I can spot:

  • in props.conf you are using a * in the sourcetype name, this is not supported.
  • you restarted the UF after each change - but the props/transforms should be applied on your single Splunk instance

cheers, MuS

kristian_kolb
Ultra Champion

Yep, this is a slightly old piece of documentation, but it gives a good understanding of what goes where, in terms of configuration items.

https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

0 Karma

ajhstn
Explorer

Thank you, this Wiki was invaluable and should be incorporated back into official documentation.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...