topic Re: Change source type in All Apps and Add-ons

Change source type

vistasyslog — Thu, 10 Jan 2013 17:47:38 GMT

** I am trying get the three IP addresses to use a new sourcetye when they send in data.

Props.conf reads :

[source::udp:514]
TRANSFORMS-riverbed_src = riverbed_steelhead
TRANSFORMS-changesourcetype = sourcetype_cisco_asa

transforms.conf reads :

[riverbed_steelhead]
REGEX = (10.12.0.20:10.0.0.33:10.10.20.185)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead

[sourcetype_cisco_asa]
REGEX = (10.12.254.1:10.10.20.254:10.1.250.254)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::cisco_asa

I get the Error :

Possible typo in stanza [riverbed_steelhead] in transforms.conf. Line 4
Possible typo in stanza [sourcetype_cisco_asa] in transforms.conf. Line 10

Can someone help me find my problem please.

FYI : I also tried the format :

REGEX = (10.12.0.20|10.0.0.33|10.10.20.185)**

Re: Change source type

DaveSavage — Thu, 10 Jan 2013 18:02:01 GMT

Don't you need to escape the dots vistasyslog? Point / dot is a metacharacter in regular expressions. Usually fixed ones are in quotes? I'll try sort the regex out unless somebody does it first...

Re: Change source type

vistasyslog — Thu, 10 Jan 2013 18:09:16 GMT

I also tried : [10.12.0.20|10.0.0.33) and that did not work either.
I dont understand the typo in the first line.

Re: Change source type

vistasyslog — Thu, 10 Jan 2013 18:10:29 GMT

there is a backslash before each ".", which for some reason is not showing up when I type it here.

Re: Change source type

DaveSavage — Thu, 10 Jan 2013 18:21:21 GMT

Understood - I know the issue re slashes (forward or backwards) being a representation issue...it's something to do with the formatting of responses and can be overcome. I'm not sure how as yet, but others have kindly corrected my stuff and I need to learn too! 😉

Re: Change source type

DaveSavage — Thu, 10 Jan 2013 18:42:14 GMT

May I just check - you have tried "10\.12\.0\.20""etc..."

Re: Change source type

Ayn — Thu, 10 Jan 2013 18:45:24 GMT

Either indent code blocks with four spaces at the start of each line (this line needs to have empty lines before and after), or use backticks. This should make code show properly.

Re: Change source type

Ayn — Thu, 10 Jan 2013 18:47:07 GMT

Your regexes look weird, vistasyslog. Do you know how to write regexes, or figuring out as you go along? Because : is definitely not interpreted as an OR operator in regular expressions. | is, though.

Also you're not specifying a SOURCE_KEY, which means Splunk will match against the raw event data. Is this what you want, or do you want to read from the host field?

Re: Change source type

DaveSavage — Thu, 10 Jan 2013 18:47:18 GMT

Thanks mate, appreciated.

Re: Change source type

vistasyslog — Thu, 10 Jan 2013 18:54:29 GMT

I am figuring it out.
I thought the backslash before every dot on the IP address was the right way to do it.
I am getting typos for the first line though.
Should I specify a source key ?
All I need is a way to have 10.10.20.185 use the sourcetype as riverbed_steelhead instead of syslog.

Re: Change source type

Ayn — Thu, 10 Jan 2013 19:10:28 GMT

If you want Splunk to read from the host field rather than the _raw field, then you must tell it to do so, yes.

SOURCE_KEY = MetaData:Host
REGEX = (10\.12\.0\.20|10\.0\.0\.33|10\.10\.20\.185)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead

Re: Change source type

vistasyslog — Thu, 10 Jan 2013 19:21:12 GMT

One thing I dont understand is, when I restart Splunk, why do I get the typo error ?
Is the above change going to make the IP addresses stop using syslog sourcetype and use just the riverbed_steelhead sourcetype ?

Re: Change source type

emiller42 — Thu, 10 Jan 2013 19:45:06 GMT

The reason for the typo is you have two TRANSFORMS configurations when you should only have one. Instead of the two lines you have there, use:

TRANSFORMS-changesourcetype = riverbed_steelhead, sourcetype_cisco_asa

If you need to add more transforms.conf stanzas to this source, you just append them to the line, comma separated.

Re: Change source type

DaveSavage — Thu, 10 Jan 2013 19:45:31 GMT

Well your original statement posting did indeed indicate that as the way you were going vistasyslog in the trasforms and props?!
If you are talking about the indexer, yes that is what it is now expecting. If you are talking forwarder then yes, that's where it will be sending...
As Ayn said - are you new to this? No probs if so, just say - then peeps won't assume you are a guru on regex (for example)...they just want to help. Full problem statements get better results, trust me - we all need it.

Re: Change source type

DaveSavage — Thu, 10 Jan 2013 19:47:30 GMT

..and what error was it throwing at you? Can you paste it pls?

Re: Change source type

vistasyslog — Thu, 10 Jan 2013 20:42:20 GMT

I am new to this.
First time I am setting up Splunk. I am no where close to being a REGEX Guru.
The error that I get is :

I get the Error :

Possible typo in stanza [riverbed_steelhead] in transforms.conf. Line 4

Thanks

Re: Change source type

tgow — Thu, 10 Jan 2013 20:59:48 GMT

I am wondering if the error is because you are using the incorrect syntax for the regex. If you want more than one ip address to matches with the REGEX then you need to separate them with a pipe symbol and not a colon. Here is an example of what I would try:

[riverbed_steelhead]
REGEX = (10.12.0.20|10.0.0.33|10.10.20.185)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead

Re: Change source type

vistasyslog — Thu, 10 Jan 2013 21:05:20 GMT

Thanks for the reply.
I am getting the logs sent to the new source type.
I still get that error though.
Can I have the logs to go to just the new sourcetype and not to syslogs at all ?

Thanks

Re: Change source type

emiller42 — Thu, 10 Jan 2013 21:19:02 GMT

see my comment above for the explanation to your error. You can't have two TRANSFORMS lines in a single props.conf stanza.

Re: Change source type

vistasyslog — Thu, 10 Jan 2013 21:36:33 GMT

I tried it and still got the same error.