I currently have an existing sourcetype (cisco_ios), extracted from syslog via regex and transforms. Some other transforms split this sourcetype further separate indexes.
According to the readme I need to: "Make sure your Cisco devices by default log to one of the following sourcetypes: cisco:ios OR syslog (A regex match will be performed to rewrite the events to the cisco:ios sourcetype)"
According to that logic I'm assuming that I can simply do this:
[cisco_ios]
rename = cisco:ios
Will my old regexes for indexing and sourcetyping regimes be respected or will they be superceded by the app? I don't want to have to go through and re-configure the app to suit my needs.
Hi,
say you have two [cisco:ios] stanzas in different props.conf files. Splunk will merge these into one upon run-time, which means as long as the names and classes for the rules (TRANSFORMS, EXTRACT, REPORT etc) are not the same they will all be executed.
What the app does is:
If sourcetype = syslog, change the sourcetype to cisco:ios if it matches a specific regex
If sourcetype = cisco:ios we only do field extractions, so we're not overriding any potential user created sourcetype or index transforms here.
What matters is how the events look like, so if the raw existing cisco_ios events that you are renaming to cisco:ios have been changed in any way and are no longer matching the regex for cisco:ios then the Cisco IOS app won't present them correctly. It does not care about which index the events are stored in. All that matters is the _raw field and sourcetype=cisco:ios
If you're still unsure you can paste the output of a _raw log line from your cisco_ios sourcetype here and I will check if it matches.