topic Re: props.conf cant figure source in Splunk Enterprise

props.conf cant figure source

standias — Wed, 20 Oct 2010 22:13:56 GMT

Hi,

I have enabled content based routing in my environment; consisting of a lightweight forwarder (A) & a splunk server (B).

I have set REGEX on server side (B) to filter out logs I dont want from a file monitored on A. I want to filter out events that match my REGEX & index them to index sis & drop events that dont match by sending them to nullQueue.

Also I guess since I already mentioned index in transforms.conf I dont need to configure anything in outputs.conf

However i cant seem to figure out what to set as source i.e in props.conf

I have set the receiver on B as 8001. i.e. splunkserver:8001 How do I set this in my props.conf??

props.conf

['what do i set here?']

TRANSFORMS-routing3 = shell,others

transforms.conf

[shell]

REGEX= .*([Ss][Ii])

DEST_KEY=_MetaData:Index

FORMAT= sis

[others]

REGEX=^((?![Ss][Ii])).)*$

DEST_KEY=queue

FORMAT=nullQueue

Re: props.conf cant figure source

CarlS — Wed, 20 Oct 2010 22:48:14 GMT

The easiest way to do it would be to specify a sourcetype name in inputs.conf on your lightweight forwarder. Just add sourcetype=myshellstuff to the stanza you're using for watching this particular data. Then you can change ['what do i set here?'] to [myshellstuff].

['what do i set here?'] can be lots of stuff though. Check out http://www.splunk.com/base/Documentation/latest/Admin/Propsconf for more info; specifically the section on about []. It's right at the top, and it has a list of all the stuff can be.

Re: props.conf cant figure source

standias — Fri, 22 Oct 2010 18:39:49 GMT

For reference :

====inputs.conf on LightWeight Forwarder side:

[monitor://D:\LOGS\Sis102010.txt ] sourcetype= src_Si

====props.conf on Indexer side:

[src_Si]

TRANSFORMS-routing3 = shell,others

====transforms.conf

Same as before

Re: props.conf cant figure source

standias — Fri, 22 Oct 2010 18:40:54 GMT

Solved!! Thanks CarlS 🙂