Set transform base on sourcetype

MichalC — Mon, 23 Dec 2024 21:25:25 GMT

Hi, I'm using the Journald input in univarsal forwarder to collect logs form journald: https://docs.splunk.com/Documentation/Splunk/9.3.2/Data/CollecteventsfromJournalD. When the data comes, I set the sourcetype dynamically based on the value of the journald TRANSPORT field. This works fine.

After that, I would like to apply other transforms to the logs with a certain sourcetypes e.g. remove the logs if the log has a certain phrase. Unfortunately, for some reason, the second transform is not working. Here is the props and configs that I'm using

here is my transforms.conf:

[set_new_sourcetype]

SOURCE_KEY = field:TRANSPORT

REGEX = ([^\s]+)

FORMAT = sourcetype::$1

DEST_KEY = MetaData:Sourcetype

[setnull_syslog_test]

REGEX = (?i)test

DEST_KEY = queue

FORMAT = nullQueue

here is my pros.conf:

[source::journald:///var/log/journal]

TRANSFORMS-change_sourcetype = set_new_sourcetype

[sourcetype::syslog]

TRANSFORMS-setnull = setnull_syslog_test

Any idea why the setnull_syslog_test transform is not working?

Re: Set transform base on sourcetype

PickleRick — Mon, 23 Dec 2024 21:53:41 GMT

Two things.

1. Stanzas are (unless explicitly set for source or host) based on sourcetype. Don't put "sourcetype::" in stanza specification.

2. If your idea was to cast sourcetype from A to B and then use transforms defined for sourcetype B then it won't work. The list of operations which will be performed on an event is decided at the beginning of the ingestion pipeline. The only way to change it "midflight" is to use the CLONE_SOURCETYPE transform but it's more complicated than simple sourcetype rewrite.

topic Set transform base on sourcetype in Splunk Enterprise

Set transform base on sourcetype

Re: Set transform base on sourcetype