https://community.splunk.com/t5/Getting-Data-In/props-conf-precedence/m-p/77690#M15917 <P>Actually, I can't : not all logs received on udp:514 are juniper-sa-access. The stanza set_juniper-sa-access contains a regex to check the format.</P> Wed, 09 Nov 2011 09:11:36 GMT afaraino 2011-11-09T09:11:36Z https://community.splunk.com/t5/Getting-Data-In/props-conf-precedence/m-p/77686#M15913 <P>Hi Everyone,</P> <P>I'm having a little issue related with props.conf precedence. I want to apply a transforms stanza to set a sourcetype, then another stanza to extract the Metadata:Host field for <STRONG>this sourcetype</STRONG>. I tried this in props.conf :</P> <PRE><CODE>[source::udp:514] TRANSFORMS-changesourcetype = set_juniper-sa-access [juniper-sa-access] TRANSFORMS-changehost = juniper-sa-access_host </CODE></PRE> <P>...but it's not working. The first transform sets the sourcetype to <EM>juniper-sa-access</EM> but the second one never applies.</P> <P>If I change to that, it's working, but it's not the desired behaviour :</P> <PRE><CODE>[source::udp:514] TRANSFORMS-changesourcetype = set_juniper-sa-access TRANSFORMS-changehost = juniper-sa-access_host </CODE></PRE> <P>Any clue?</P> <P>Is it about precedence (source &gt; host &gt; sourcetype)? or is it because the sourcetype is set "too late" for matching the second stanza?</P> <P>Best Regards,</P> <P>Alexandre Faraino</P> Mon, 19 Sep 2011 09:38:45 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf-precedence/m-p/77686#M15913 afaraino 2011-09-19T09:38:45Z https://community.splunk.com/t5/Getting-Data-In/props-conf-precedence/m-p/77687#M15914 <P>Found that similar topic :<BR /> <A href="http://splunk-base.splunk.com/answers/25512/is-my-sourcetype-override-messing-up-my-field-extraction-or-am-i">http://splunk-base.splunk.com/answers/25512/is-my-sourcetype-override-messing-up-my-field-extraction-or-am-i</A></P> <P>The transforms.conf is read only once. So this is a "by design" behavior. I'll try something else.</P> <P>Alex</P> Mon, 19 Sep 2011 13:34:42 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf-precedence/m-p/77687#M15914 afaraino 2011-09-19T13:34:42Z https://community.splunk.com/t5/Getting-Data-In/props-conf-precedence/m-p/77688#M15915 <P>Your easiest solution is to just <CODE>sourcetype = juniper-sa-access</CODE> in the inputs.conf where you define the <CODE>[udp://514]</CODE> stanza. All data from that input will be marked with that sourcetype.</P> Mon, 19 Sep 2011 14:37:38 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf-precedence/m-p/77688#M15915 gkanapathy 2011-09-19T14:37:38Z https://community.splunk.com/t5/Getting-Data-In/props-conf-precedence/m-p/77689#M15916 <P>Your easiest solution is to just <CODE>sourcetype = juniper-sa-access</CODE> in the inputs.conf where you define the <CODE>[udp://514]</CODE> stanza. All data from that input will be marked with that sourcetype.</P> Mon, 19 Sep 2011 14:37:40 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf-precedence/m-p/77689#M15916 gkanapathy 2011-09-19T14:37:40Z https://community.splunk.com/t5/Getting-Data-In/props-conf-precedence/m-p/77690#M15917 <P>Actually, I can't : not all logs received on udp:514 are juniper-sa-access. The stanza set_juniper-sa-access contains a regex to check the format.</P> Wed, 09 Nov 2011 09:11:36 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf-precedence/m-p/77690#M15917 afaraino 2011-11-09T09:11:36Z