Solved: Why is source type override based on host not work...

siva_cg · ‎09-24-2018

Hi All,

I have some switch logs which are configured to Splunk from 3 Universal Forwarders into one index. Based on host values, I renamed the source type by configuring props and transforms. I am able to see new source types in the index, but now the issue is when I search for that particular source type, it is not giving results.

index = index1 ----giving results and able to see sourcetypes in the field values as expected
index = index1 sourcetype = sourcetype1 ----- no results

props.conf
[orig_sourcetype]
TRANSFORMS-rename = index1_host1,index1_host2,index1_host3

transforms.conf
[index1_host1]
REGEX = host1
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype1
WRITE_META = true

[index1_host2]
REGEX = host2
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype2
WRITE_META = true

[index1_host3]
REGEX = host3
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype3
WRITE_META = true

Did I miss any configurations? Could any one please help? Thanks in advance.

harsmarvania57 · ‎09-26-2018

Hi @siva_cg,

Your configuration is not correct to set sourcetype, look at answer given by me on this question https://answers.splunk.com/answers/686241/metadata-transforms-not-being-applied-after-series-1.html#...

Try to set transforms.conf like this

[index1_host1]
REGEX = host1
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype1

[index1_host2]
REGEX = host2
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype2

[index1_host3]
REGEX = host3
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype3

View solution in original post

harsmarvania57 · ‎09-26-2018

Hi @siva_cg,

Your configuration is not correct to set sourcetype, look at answer given by me on this question https://answers.splunk.com/answers/686241/metadata-transforms-not-being-applied-after-series-1.html#...

Try to set transforms.conf like this

[index1_host1]
REGEX = host1
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype1

[index1_host2]
REGEX = host2
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype2

[index1_host3]
REGEX = host3
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype3

ddrillic · ‎09-26-2018

Gorgeous - a bit counterintuitive FORMAT = sourcetype::sourcetype1 as DEST_KEY already species the destination via DEST_KEY = MetaData:Sourcetype.

siva_cg · ‎09-26-2018

Thank you @harsmarvania57. It is working now.

Rob2520 · ‎09-24-2018

@siva_cg try updating transforms.conf with WRITE_META = false and restart indexer(s) for new changes to take effect and see if it works.

siva_cg · ‎09-25-2018

I changed the WRITE_META value to false and restarted but still no luck @Rob2520. I am able to see the new sourcetype values in interested fields but not able to search for them.

ddrillic · ‎09-24-2018

Looks really clean @siva_cg, I wonder which log file tracks the transforms.conf work...

Why is source type override based on host not working?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM