Re: Issue with overriding per-event custom sourcet...

splnktester · ‎02-06-2013

Hello!
I have issue while getting my application logs data from universal forwarder working in my network.

My configs on indexer server:

1) props.conf

[Planet3_Application_Logs]

TRANSFORMS-001 = planet3_app_logs

BREAK_ONLY_BEFORE = event id

NO_BINARY_CHECK = 1

SHOULD_LINEMERGE = true

TIME_PREFIX = date

TZ = Europe/Samara

pulldown_type = 1

2) transforms.conf

[planet3_app_logs]

REGEX = event id

FORMAT = sourcetype::Planet3_Application_Logs

DEST_KEY = MetaData:Sourcetype

So, i used this manual

http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

And as result i see, that all my logs are coming in FROM UNIVERSAL forwarder in automate assigned xml sourcetypes by splunk indexer. However, local data inputs in my custom sourcetypes work fine

What's the problem?

splnktester · ‎03-05-2013

UP question!

splnktester · ‎02-07-2013

Yes. I'm sure

Ayn · ‎02-06-2013

Just to make sure - you're confident in that this forwarder you're sending from IS a Universal Forwarder and not some other kind of heavy forwarder?

Issue with overriding per-event custom sourcetypes while getting data from universal forwarder

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk