topic Re: Sourcetype Override Not Working! in All Apps and Add-ons

where do you located these conf files?

they must be located in the first full Splunk instance that data passing through.

In other words, if you're using an Heavy forwarder to take these logs, you have to put them in the HFs, if instead you're using a Universal Forwarder, you have to locate them on Indexers or on an eventual intermediate HF.

Ciao.

Giuseppe

Re: Sourcetype Override Not Working!

allidoiswinboom — Thu, 07 Mar 2024 13:36:21 GMT

Hi @gcusello Thanks for the reply. We are using UFs and I have the confs files on the deployment server and the indexers. We use a CM to manage all the Indexers so I deploy the updated files from the CM to ensure consistent hashing across the files. Thank you!

Re: Sourcetype Override Not Working!

gcusello — Thu, 07 Mar 2024 13:52:11 GMT

if you haven't any intermediate HF, you must locate them on Indexers.

Ciao.

Giuseppe

Re: Sourcetype Override Not Working!

allidoiswinboom — Thu, 07 Mar 2024 14:39:46 GMT

Hello @gcusello Yes these files are already on the indexers.

Re: Sourcetype Override Not Working!

gcusello — Fri, 08 Mar 2024 08:04:39 GMT

have you, on Indexers, also the Splunk_TA_F5?

because it transforms logs and maybe your transformation isn't effective because the f5:bigip:syslog is already transformed in something else.

using the regex, which sourcetype do your events have?

Ciao.

Giuseppe

Re: Sourcetype Override Not Working!

allidoiswinboom — Fri, 08 Mar 2024 14:40:11 GMT

No, the 'Splunk_TA_f5-bigip' app is on the DS but not the IDXs/CM. Is that something that ought to be pushed out to the CM/IDX?

We have a local app that is specific to our program with a ruleset for that f5:bigip:syslog but that is just specifying the hosts that route data to that index.

How can I check via the regex what sourcetypes the data has?

Thank you!

Re: Sourcetype Override Not Working!

gcusello — Fri, 08 Mar 2024 14:51:15 GMT

please, which sourcetype ha your running this search:

index = f5_cs_p_p | regex "^acl_policy_name=\"$"

i addition, in the REGEX in transforms.conf, you should escape the quotes:

REGEX = ^acl_policy_name=\"$

Ciao.

Giuseppe

Re: Sourcetype Override Not Working!

allidoiswinboom — Fri, 08 Mar 2024 14:57:39 GMT

I ran that search and no results were found. 😞 So is the regex incorrect? I was just trying to match that event referenced above.

Thank you!

Re: Sourcetype Override Not Working!

gcusello — Fri, 08 Mar 2024 14:59:08 GMT

I used your regex, if you haven't any result in the search, the issue is in the regex.

Ciao.

Giuseppe

Re: Sourcetype Override Not Working!

allidoiswinboom — Fri, 08 Mar 2024 15:02:28 GMT

Ok great, if that's the case, I just want to match events that start with "acl_policy_name" so I can transform the sourcetype to something else. All the events start with that so I'm not sure what else I need to add to the REGEX?

Thank you!

Re: Sourcetype Override Not Working!

gcusello — Fri, 08 Mar 2024 15:05:01 GMT

search the correct regex using regex101.com or, please, share some event so we can help you.

Ciao.

Giuseppe

Re: Sourcetype Override Not Working!

allidoiswinboom — Fri, 08 Mar 2024 15:10:29 GMT

I have to black out certain information but see below:

Thank you for your help!

Re: Sourcetype Override Not Working!

gcusello — Fri, 08 Mar 2024 15:43:34 GMT

to help you, I need them in text format to use in regex101.com, I cannot use a screenshot|

Anyway, why in your regex there's the dollar char ($)?

the correct regex should be

REGEX = ^acl_policy_name\=\"

Ciao.

Giuseppe

Re: Sourcetype Override Not Working!

allidoiswinboom — Mon, 25 Mar 2024 20:48:44 GMT

@gcusello Sorry for the late reply but this helped with the creation of the sourcetype. Thank you for all your help! 🙂

Re: Sourcetype Override Not Working!

gcusello — Mon, 25 Mar 2024 22:24:26 GMT