Splunk Enterprise

props.conf cant figure source

standias
Explorer

Hi,

I have enabled content based routing in my environment; consisting of a lightweight forwarder (A) & a splunk server (B).

I have set REGEX on server side (B) to filter out logs I dont want from a file monitored on A. I want to filter out events that match my REGEX & index them to index sis & drop events that dont match by sending them to nullQueue.

Also I guess since I already mentioned index in transforms.conf I dont need to configure anything in outputs.conf

However i cant seem to figure out what to set as source i.e in props.conf

I have set the receiver on B as 8001. i.e. splunkserver:8001 How do I set this in my props.conf??

props.conf

['what do i set here?']

TRANSFORMS-routing3 = shell,others


transforms.conf

[shell]

REGEX= .*([Ss][Ii])

DEST_KEY=_MetaData:Index

FORMAT= sis

[others]

REGEX=^((?![Ss][Ii])).)*$

DEST_KEY=queue

FORMAT=nullQueue

0 Karma
1 Solution

CarlS
Explorer

The easiest way to do it would be to specify a sourcetype name in inputs.conf on your lightweight forwarder. Just add sourcetype=myshellstuff to the stanza you're using for watching this particular data. Then you can change ['what do i set here?'] to [myshellstuff].

['what do i set here?'] can be lots of stuff though. Check out http://www.splunk.com/base/Documentation/latest/Admin/Propsconf for more info; specifically the section on about []. It's right at the top, and it has a list of all the stuff can be.

View solution in original post

0 Karma

standias
Explorer

For reference :

====inputs.conf on LightWeight Forwarder side:

[monitor://D:\LOGS\Sis102010.txt ] sourcetype= src_Si

====props.conf on Indexer side:

[src_Si]

TRANSFORMS-routing3 = shell,others

====transforms.conf

Same as before

0 Karma

CarlS
Explorer

The easiest way to do it would be to specify a sourcetype name in inputs.conf on your lightweight forwarder. Just add sourcetype=myshellstuff to the stanza you're using for watching this particular data. Then you can change ['what do i set here?'] to [myshellstuff].

['what do i set here?'] can be lots of stuff though. Check out http://www.splunk.com/base/Documentation/latest/Admin/Propsconf for more info; specifically the section on about []. It's right at the top, and it has a list of all the stuff can be.

0 Karma

standias
Explorer

Solved!! Thanks CarlS 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...