https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64058#M12867 <P>Does the host of the data show up as fortigate?</P> Mon, 16 Sep 2013 20:53:25 GMT lguinn2 2013-09-16T20:53:25Z https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64057#M12866 <P>I am new to splunk and i am now going to receive syslog from multiple devices on UDP514, so i cant define a specific sourcetype to UDP:514, right? And I installed the Fortigate apps and edited the /etc/hosts to resolve the IP. I can successfully resolve the IP to hostname "fortigate" and below are my input.conf and props.conf files</P> <P>input.conf<BR /> [udp://514]<BR /> connection_host = dns</P> <P>props.conf<BR /> [host::fortigate]<BR /> sourcetype = fortigate</P> <P>It is not working, sourcetype of the data still shown as UDP:514, did i do any wrong?<BR /> Thanks for helping</P> Mon, 16 Sep 2013 10:17:36 GMT https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64057#M12866 jackykitkit 2013-09-16T10:17:36Z https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64058#M12867 <P>Does the host of the data show up as fortigate?</P> Mon, 16 Sep 2013 20:53:25 GMT https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64058#M12867 lguinn2 2013-09-16T20:53:25Z https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64059#M12868 <P>shouldn't the sourcetype be present in the udp://.. inputs stanza?</P> Mon, 16 Sep 2013 20:59:52 GMT https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64059#M12868 linu1988 2013-09-16T20:59:52Z https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64060#M12869 <P>yes, the host shown as "fortigate" sourcetype and source are UDP:514</P> Tue, 17 Sep 2013 00:34:48 GMT https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64060#M12869 jackykitkit 2013-09-17T00:34:48Z https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64061#M12870 <P>You can do</P> <PRE><CODE>[udp://iPaddress:514] Index=foo sourcetype=bar </CODE></PRE> Tue, 17 Sep 2013 01:03:38 GMT https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64061#M12870 adrianathome 2013-09-17T01:03:38Z https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64062#M12871 <P>The input.conf UDP sets the sourcetype, and source.</P> <P>This will need to be overridden, and a props.conf by itself is not enough.</P> <P>See this post: <A href="http://answers.splunk.com/answers/34251/udp514-and-source-types">http://answers.splunk.com/answers/34251/udp514-and-source-types</A></P> <P>Hope this helps.</P> Tue, 17 Sep 2013 01:24:32 GMT https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64062#M12871 lukejadamec 2013-09-17T01:24:32Z https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64063#M12872 <P>Thanks for helping, i am now successfully override the sourcetype of fortigate, and my config are:</P> <P>input.conf<BR /> [udp://514]<BR /> connection_host = dns<BR /> sourcetype = syslog</P> <P>props.conf<BR /> [syslog]<BR /> TRANSFORMS-sourcetype_and_host_override = fortigate<BR /> SHOULD_LINEMERGE = false</P> <P>transforms.conf<BR /> [fortigate]<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = fortigate<BR /> FORMAT = sourcetype::fortigate</P> <P>But how can i override the sourcetype if i have another host come from udp514? thanks</P> Mon, 28 Sep 2020 14:48:41 GMT https://community.splunk.com/t5/Getting-Data-In/sourcetype-override/m-p/64063#M12872 jackykitkit 2020-09-28T14:48:41Z