https://community.splunk.com/t5/Getting-Data-In/Transform-for-sourcetype-not-working/m-p/52496#M10112 <P>I have setup a transform to ideally set the hostname and sourcetype for syslog traffic, however I'm encountering problems. </P> <P>I have the following in the transforms.conf:</P> <BLOCKQUOTE> <P>[firepass_sourcetyper] REGEX =<BR /> (?:192.168.249.106) DEST_KEY =<BR /> MetaData:sourcetype FORMAT =<BR /> sourcetype::firepass_log</P> <P>[firepass_hostnamer] REGEX =<BR /> (?:192.168.249.106) DEST_KEY =<BR /> MetaData:host FORMAT =<BR /> host::rm.markerstudy.com</P> </BLOCKQUOTE> <P>And I have the following in my props.conf file:</P> <P>[source::udp:514]</P> <BLOCKQUOTE> <P>TRANSFORMS-firepasssoucetype = firepass_sourcetyper<BR /> TRANSFORMS-firepasshostname = firepass_hostnamer</P> </BLOCKQUOTE> <P>I'm not sure if it's possible to do multiple transforms for a single source as I am trying, however for the purpose of testing this I have commented out the second transforms statement.</P> <P>Can anybody help as to why this isn't working?</P> <P>Thanks,<BR /> Neil</P> Mon, 28 Sep 2020 10:19:17 GMT NeilGingell 2020-09-28T10:19:17Z https://community.splunk.com/t5/Getting-Data-In/Transform-for-sourcetype-not-working/m-p/52496#M10112 <P>I have setup a transform to ideally set the hostname and sourcetype for syslog traffic, however I'm encountering problems. </P> <P>I have the following in the transforms.conf:</P> <BLOCKQUOTE> <P>[firepass_sourcetyper] REGEX =<BR /> (?:192.168.249.106) DEST_KEY =<BR /> MetaData:sourcetype FORMAT =<BR /> sourcetype::firepass_log</P> <P>[firepass_hostnamer] REGEX =<BR /> (?:192.168.249.106) DEST_KEY =<BR /> MetaData:host FORMAT =<BR /> host::rm.markerstudy.com</P> </BLOCKQUOTE> <P>And I have the following in my props.conf file:</P> <P>[source::udp:514]</P> <BLOCKQUOTE> <P>TRANSFORMS-firepasssoucetype = firepass_sourcetyper<BR /> TRANSFORMS-firepasshostname = firepass_hostnamer</P> </BLOCKQUOTE> <P>I'm not sure if it's possible to do multiple transforms for a single source as I am trying, however for the purpose of testing this I have commented out the second transforms statement.</P> <P>Can anybody help as to why this isn't working?</P> <P>Thanks,<BR /> Neil</P> Mon, 28 Sep 2020 10:19:17 GMT https://community.splunk.com/t5/Getting-Data-In/Transform-for-sourcetype-not-working/m-p/52496#M10112 NeilGingell 2020-09-28T10:19:17Z https://community.splunk.com/t5/Getting-Data-In/Transform-for-sourcetype-not-working/m-p/52497#M10113 <P>Hi, I think you problem is that the MetaData variables are case sensative. </P> <P>Try:</P> <P>In props.conf</P> <P><CODE><BR /> [source::udp:514]<BR /> TRANSFORMS-firepasssoucetype = firepass_sourcetyper<BR /> TRANSFORMS-firepasshostname = firepass_hostnamer<BR /> </CODE></P> <P>In transforms.conf<BR /> <CODE><BR /> [firepass_sourcetyper] <BR /> REGEX = (?:192.168.249.106) <BR /> DEST_KEY = MetaData:Sourcetype <BR /> FORMAT = sourcetype::firepass_log </CODE></P> <P>[firepass_hostnamer] <BR /> REGEX = (?:192.168.249.106) <BR /> DEST_KEY = MetaData:Host <BR /> FORMAT = host::rm.markerstudy.com<BR /> </P> Mon, 28 Sep 2020 10:19:20 GMT https://community.splunk.com/t5/Getting-Data-In/Transform-for-sourcetype-not-working/m-p/52497#M10113 hedgehog 2020-09-28T10:19:20Z https://community.splunk.com/t5/Getting-Data-In/Transform-for-sourcetype-not-working/m-p/52498#M10114 <P>Neil,</P> <P>You should be able to put all of your transforms on one line...ie.</P> <PRE><CODE>[source::udp::514] TRANSFORMS-firepass_stuff = firepass_sourcetyper,firepass_hostnamer </CODE></PRE> <P>Also keep in mind that the DEST_KEY(s) are case sensitive, so you would need:</P> <PRE><CODE>[firepass_sourcetyper] REGEX = (?:192.168.249.106) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::firepass_log [firepass_hostnamer] REGEX = (?:192.168.249.106) DEST_KEY = MetaData:Host FORMAT = host::rm.markerstudy.com </CODE></PRE> <P>Hope that helps.</P> Tue, 17 Jan 2012 15:11:38 GMT https://community.splunk.com/t5/Getting-Data-In/Transform-for-sourcetype-not-working/m-p/52498#M10114 Lamar 2012-01-17T15:11:38Z https://community.splunk.com/t5/Getting-Data-In/Transform-for-sourcetype-not-working/m-p/52499#M10115 <P>Both answers were spot on.</P> <P>Thanks,</P> Tue, 17 Jan 2012 15:25:26 GMT https://community.splunk.com/t5/Getting-Data-In/Transform-for-sourcetype-not-working/m-p/52499#M10115 NeilGingell 2012-01-17T15:25:26Z https://community.splunk.com/t5/Getting-Data-In/Transform-for-sourcetype-not-working/m-p/52500#M10116 <P>I have a similar problem. I am trying get the three IP addresses to use a new sourcetye when they send in data.</P> <P>Props.conf reads :</P> <P>[source::udp:514]<BR /> TRANSFORMS-riverbed_src = riverbed_steelhead<BR /> TRANSFORMS-changesourcetype = sourcetype_cisco_asa</P> <P>transforms.conf reads :</P> <P>[riverbed_steelhead]<BR /> REGEX = (10.12.0.20:10.0.0.33:10.10.20.185)<BR /> DEST_KEY = MetaData:Sourcetype<BR /> FORMAT = sourcetype::riverbed_steelhead</P> <P>[sourcetype_cisco_asa]<BR /> REGEX = (10.12.254.1:10.10.20.254:10.1.250.254)<BR /> DEST_KEY = MetaData:Sourcetype<BR /> FORMAT = sourcetype::cisco_asa</P> <P>I get the Error :</P> <P>Possible typo in stanza [riverbed_steelhead] in transforms.conf. Line 4<BR /> Possible typo in stanza [sourcetype_cisco_asa] in transforms.conf. Line 10</P> <P>Can someone help me find my problem please.</P> <P>FYI : I also tried the format :</P> <P>REGEX = (10.\12.0.20|10.0.0.33|10.10.20.185)</P> Mon, 28 Sep 2020 13:04:59 GMT https://community.splunk.com/t5/Getting-Data-In/Transform-for-sourcetype-not-working/m-p/52500#M10116 vistasyslog 2020-09-28T13:04:59Z