topic Re: Props transforms.conf for source thats not playing nice in Getting Data In

Props transforms.conf for source thats not playing nice

domenico_perre — Tue, 29 Sep 2020 06:44:34 GMT

Hi All,

I have been having significant trouble with one set of props/transforms for our environment. I have tried numerous things that I will detail below to no avail. The end result is that I want to move a specific type of event to an index. Sounds simple and I have done it for many others but this one is just plain out simple not working.

So here are the config files.
props.conf
[source::syslogind]
TRANSFORMS-SetIndexSourcetype = set_index_random

transforms.conf
[set_index_random]
REGEX = [A-Z]{1}[a-z]{2}\s+\d+\s+\d{2}:\d{2}:\d{2}.*SpecificText
DEST_KEY = _MetaData:Index
FORMAT = anotherindex

In my inputs.conf I have the following

[udp://514]
connection_host = dns
compressed = true
source = syslogind

Now this is what I have tried.

In props.conf I have had the following settings
[udp:514]
[source::udp:514]
[source::(udp:514)]

But still my data is being pushed into main bucket with the source and sourcetype of udp:514.

Splunk Output source = udp:514 sourcetype = udp:514

I have confirmed the regex is working within splunk using extract fields then seeing if all are ticked.

I am a little stumped for ideas. My last effort was to change the source on the inputs.conf to something random then apply the transforms on that. But that didn't work. Thanks in advance for your help.

Re: Props transforms.conf for source thats not playing nice

woodcock — Sat, 18 Jul 2015 15:00:50 GMT

Why are you not explicitly setting your sourcetype in inputs.conf (I highly recommend adding one)? Once you set a sourcetype, you can use that sourcetype for your stanza header inside props.conf. What kind of forwarder are you using (is it a Heavy Forwarder)? If not using a Heavy Forwarder, you need to deploy these changes to ALL of your indexers and the restart all Splunk instances before the changes will take effect. If using Heavy Forwarder, check out this link:

http://answers.splunk.com/answers/8531/routing-to-index-based-on-host-etc.html

Re: Props transforms.conf for source thats not playing nice

domenico_perre — Sun, 19 Jul 2015 07:22:01 GMT

Hey woodcock I am doing an inputs.conf to a source because I don't want to specify a specific sourcetype as I have a range of different inputs coming in on this port. This is coming direct to the indexers. I do have heavy forwarders though.

Re: Props transforms.conf for source thats not playing nice

domenico_perre — Sun, 19 Jul 2015 07:24:42 GMT

I should also add that the logs are being sent from a client that is not a universal forwarder. Otherwise I could apply the source at the outputs.conf.

Re: Props transforms.conf for source thats not playing nice

domenico_perre — Sun, 19 Jul 2015 21:48:36 GMT

I am marking your answer as correct woodcock as I checked this morning when I arrived as I was sure that the logs were going direct to the indexer. But they are in fact going to a heavy forwarder first. I updated the heavy forwarder props.conf and transforms.conf and it is now working. Thankyou so much :). I thought I was going crazy!!