https://community.splunk.com/t5/Getting-Data-In/Not-able-to-sourcetype/m-p/58569#M11512 <P>Thanks Stephen.. it works now. what i did was not only correct SourceType to Sourcetype in transforms.conf but also move props and transforms.conf to /etc/system/local directory from /etc/apps/SplunkForwarder/local.<BR /><BR /> so my new question is should i always have props and transforms under /etc/system/local as supposed to under an App (/etc/apps/app-name/local) for index time transformations ? If we have different applications with its own props and transforms, should we always combine that under /etc/system/local ?</P> <P>thanks<BR /> pmr</P> Mon, 27 Sep 2010 22:15:51 GMT pmr 2010-09-27T22:15:51Z https://community.splunk.com/t5/Getting-Data-In/Not-able-to-sourcetype/m-p/58567#M11510 <P>I'm unable to force sourcetype from props.conf. Relatively new to splunk, am trying to setup logging of solaris /var/adm/messages. Am extracting ftp from the message and trying to sourcetype it as ftp. what's happening is if i try to set sourcetype to Solaris_Messages under inputs.conf for all /var/adm/messages it works. However if i try to extract "ftp" with props.conf and transforms.conf it sourcetypes it as "Syslog". I'm wondering if some default or learned sourcetypes is being enforced. Below are outputs of each files :</P> <P>/opt/splunk/etc/apps/SplunkForwarder/local/props.conf :</P> <PRE><CODE>[source::.../adm/messages] TRANSFORMS-sourcetype_for_ftpd = sourcetype_for_ftpd </CODE></PRE> <P>/opt/splunk/etc/apps/SplunkForwarder/local/transforms.conf :</P> <PRE><CODE>[sourcetype_for_ftpd] DEST_KEY = MetaData:SourceType REGEX = ftpd\[\d+\]\: FORMAT = sourcetype::ftp </CODE></PRE> <P>when i set props and transforms to the above and restart, all ftp messages are sourcetype'd as Syslog. But when i simply set inputs.conf like below :</P> <P>/opt/splunk/etc/apps/SplunkForwarder/local/inputs.conf :</P> <PRE><CODE>[monitor:///var/adm/messages] sourcetype = Solaris_Messages </CODE></PRE> <P>all /var/adm/messages are sourcetype'd as Solaris_Messages which is good. I'm wondering why my props and transforms isn't working as expected, i tried using btool and show config but couldn't exactly figure out from which file sourcetype=Syslog is getting applied. This is in a forwarder config on solaris. Basically sourcetype seems to be working under inputs.conf whereas its not for props and transforms.</P> <P>Any help is greatly appreciated. </P> <P>thanks pmr</P> Mon, 27 Sep 2010 09:57:41 GMT https://community.splunk.com/t5/Getting-Data-In/Not-able-to-sourcetype/m-p/58567#M11510 pmr 2010-09-27T09:57:41Z https://community.splunk.com/t5/Getting-Data-In/Not-able-to-sourcetype/m-p/58568#M11511 <P>In transforms.conf, <CODE>DEST_KEY</CODE> is case sensitive and should be <CODE>MetaData:Sourcetype</CODE> as specified in transforms.conf.spec.</P> Mon, 27 Sep 2010 12:06:25 GMT https://community.splunk.com/t5/Getting-Data-In/Not-able-to-sourcetype/m-p/58568#M11511 Stephen_Sorkin 2010-09-27T12:06:25Z https://community.splunk.com/t5/Getting-Data-In/Not-able-to-sourcetype/m-p/58569#M11512 <P>Thanks Stephen.. it works now. what i did was not only correct SourceType to Sourcetype in transforms.conf but also move props and transforms.conf to /etc/system/local directory from /etc/apps/SplunkForwarder/local.<BR /><BR /> so my new question is should i always have props and transforms under /etc/system/local as supposed to under an App (/etc/apps/app-name/local) for index time transformations ? If we have different applications with its own props and transforms, should we always combine that under /etc/system/local ?</P> <P>thanks<BR /> pmr</P> Mon, 27 Sep 2010 22:15:51 GMT https://community.splunk.com/t5/Getting-Data-In/Not-able-to-sourcetype/m-p/58569#M11512 pmr 2010-09-27T22:15:51Z