Solved: Re: Why is source type override based on host not ...

siva_cg · ‎09-24-2018

Hi All,

I have some switch logs which are configured to Splunk from 3 Universal Forwarders into one index. Based on host values, I renamed the source type by configuring props and transforms. I am able to see new source types in the index, but now the issue is when I search for that particular source type, it is not giving results.

index = index1 ----giving results and able to see sourcetypes in the field values as expected
index = index1 sourcetype = sourcetype1 ----- no results

props.conf
[orig_sourcetype]
TRANSFORMS-rename = index1_host1,index1_host2,index1_host3

transforms.conf
[index1_host1]
REGEX = host1
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype1
WRITE_META = true

[index1_host2]
REGEX = host2
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype2
WRITE_META = true

[index1_host3]
REGEX = host3
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype3
WRITE_META = true

Did I miss any configurations? Could any one please help? Thanks in advance.

harsmarvania57 · ‎09-26-2018

Hi @siva_cg,

Your configuration is not correct to set sourcetype, look at answer given by me on this question https://answers.splunk.com/answers/686241/metadata-transforms-not-being-applied-after-series-1.html#...

Try to set transforms.conf like this

[index1_host1]
REGEX = host1
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype1

[index1_host2]
REGEX = host2
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype2

[index1_host3]
REGEX = host3
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype3

View solution in original post

harsmarvania57 · ‎09-26-2018

Hi @siva_cg,

Your configuration is not correct to set sourcetype, look at answer given by me on this question https://answers.splunk.com/answers/686241/metadata-transforms-not-being-applied-after-series-1.html#...

Try to set transforms.conf like this

[index1_host1]
REGEX = host1
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype1

[index1_host2]
REGEX = host2
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype2

[index1_host3]
REGEX = host3
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype3

ddrillic · ‎09-26-2018

Gorgeous - a bit counterintuitive FORMAT = sourcetype::sourcetype1 as DEST_KEY already species the destination via DEST_KEY = MetaData:Sourcetype.

siva_cg · ‎09-26-2018

Thank you @harsmarvania57. It is working now.

Rob2520 · ‎09-24-2018

@siva_cg try updating transforms.conf with WRITE_META = false and restart indexer(s) for new changes to take effect and see if it works.

siva_cg · ‎09-25-2018

I changed the WRITE_META value to false and restarted but still no luck @Rob2520. I am able to see the new sourcetype values in interested fields but not able to search for them.

ddrillic · ‎09-24-2018

Looks really clean @siva_cg, I wonder which log file tracks the transforms.conf work...

Why is source type override based on host not working?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...