Hi All,
I have some switch logs which are configured to Splunk from 3 Universal Forwarders into one index. Based on host values, I renamed the source type by configuring props and transforms. I am able to see new source types in the index, but now the issue is when I search for that particular source type, it is not giving results.
index = index1 ----giving results and able to see sourcetypes in the field values as expected
index = index1 sourcetype = sourcetype1 ----- no results
props.conf
[orig_sourcetype]
TRANSFORMS-rename = index1_host1,index1_host2,index1_host3
transforms.conf
[index1_host1]
REGEX = host1
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype1
WRITE_META = true
[index1_host2]
REGEX = host2
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype2
WRITE_META = true
[index1_host3]
REGEX = host3
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype3
WRITE_META = true
Did I miss any configurations? Could any one please help? Thanks in advance.
Hi @siva_cg,
Your configuration is not correct to set sourcetype, look at answer given by me on this question https://answers.splunk.com/answers/686241/metadata-transforms-not-being-applied-after-series-1.html#...
Try to set transforms.conf like this
[index1_host1]
REGEX = host1
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype1
[index1_host2]
REGEX = host2
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype2
[index1_host3]
REGEX = host3
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype3
Hi @siva_cg,
Your configuration is not correct to set sourcetype, look at answer given by me on this question https://answers.splunk.com/answers/686241/metadata-transforms-not-being-applied-after-series-1.html#...
Try to set transforms.conf like this
[index1_host1]
REGEX = host1
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype1
[index1_host2]
REGEX = host2
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype2
[index1_host3]
REGEX = host3
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype3
Gorgeous - a bit counterintuitive FORMAT = sourcetype::sourcetype1
as DEST_KEY
already species the destination via DEST_KEY = MetaData:Sourcetype
.
Thank you @harsmarvania57. It is working now.
@siva_cg try updating transforms.conf with WRITE_META = false and restart indexer(s) for new changes to take effect and see if it works.
I changed the WRITE_META value to false and restarted but still no luck @Rob2520. I am able to see the new sourcetype values in interested fields but not able to search for them.
Looks really clean @siva_cg, I wonder which log file tracks the transforms.conf
work...