Getting Data In

Not able to sourcetype

pmr
Explorer

I'm unable to force sourcetype from props.conf. Relatively new to splunk, am trying to setup logging of solaris /var/adm/messages. Am extracting ftp from the message and trying to sourcetype it as ftp. what's happening is if i try to set sourcetype to Solaris_Messages under inputs.conf for all /var/adm/messages it works. However if i try to extract "ftp" with props.conf and transforms.conf it sourcetypes it as "Syslog". I'm wondering if some default or learned sourcetypes is being enforced. Below are outputs of each files :

/opt/splunk/etc/apps/SplunkForwarder/local/props.conf :

[source::.../adm/messages]
TRANSFORMS-sourcetype_for_ftpd = sourcetype_for_ftpd

/opt/splunk/etc/apps/SplunkForwarder/local/transforms.conf :

[sourcetype_for_ftpd]
DEST_KEY = MetaData:SourceType
REGEX = ftpd\[\d+\]\:
FORMAT = sourcetype::ftp

when i set props and transforms to the above and restart, all ftp messages are sourcetype'd as Syslog. But when i simply set inputs.conf like below :

/opt/splunk/etc/apps/SplunkForwarder/local/inputs.conf :

[monitor:///var/adm/messages]
sourcetype = Solaris_Messages

all /var/adm/messages are sourcetype'd as Solaris_Messages which is good. I'm wondering why my props and transforms isn't working as expected, i tried using btool and show config but couldn't exactly figure out from which file sourcetype=Syslog is getting applied. This is in a forwarder config on solaris. Basically sourcetype seems to be working under inputs.conf whereas its not for props and transforms.

Any help is greatly appreciated.

thanks pmr

Tags (1)
0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

In transforms.conf, DEST_KEY is case sensitive and should be MetaData:Sourcetype as specified in transforms.conf.spec.

pmr
Explorer

Thanks Stephen.. it works now. what i did was not only correct SourceType to Sourcetype in transforms.conf but also move props and transforms.conf to /etc/system/local directory from /etc/apps/SplunkForwarder/local.

so my new question is should i always have props and transforms under /etc/system/local as supposed to under an App (/etc/apps/app-name/local) for index time transformations ? If we have different applications with its own props and transforms, should we always combine that under /etc/system/local ?

thanks
pmr

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...