I'm trying to set sourcetype based on a regex from the source path during indexing, and it is not working.
What am I doing wrong?
props.conf
[source::/var/log/docker/...]
TRANSFORMS-setsourcetype = setsourcetype
transforms.conf
[setsourcetype]
SOURCE_KEY = source
REGEX = ^\/var\/log\/docker\/[^\/]*\/([^\/]*)
FORMAT = sourcetype::$1
DEST_KEY = MetaData:Sourcetype
The SOURCE_KEY
should be MetaData:Source
.
Ensure, the configurations are deployed in first full SPlunk instance (heavy forwarder OR indexer)
If it still doesn't work, try [source::/var/log/docker/*]
instead of [source::/var/log/docker/...]
The SOURCE_KEY
should be MetaData:Source
.
Ensure, the configurations are deployed in first full SPlunk instance (heavy forwarder OR indexer)
If it still doesn't work, try [source::/var/log/docker/*]
instead of [source::/var/log/docker/...]
I changed props to [source::/var/log/docker//] and verified it is working by adding a SEDCMD.
SOURCE_KEY = MetaData:Source is not working in transforms.conf (I think that should technically be the correct solution, though)
I'll put in a ticket with Splunk support and report back here what we find out.
Looks like there may be stray characters on the value of source. I added global matches on either end of the source value and now it is parsing fine.
props.conf
[source::/var/log/docker//]
TRANSFORMS-setsourcetype_from_source = setsourcetype_from_source
transforms.conf:
[setsourcetype_from_source]
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY = MetaData:Source
REGEX = .*\/var\/log\/docker\/[^\/]+\/([^\/]+).*
FORMAT = sourcetype::$1