https://community.splunk.com/t5/Getting-Data-In/Sourcetype-overide-with-a-forwarder/m-p/171597#M34632 <P>i have 3 forwarders, they each receive udp:514. They have nothing installed on them and are heavy forwarder.<BR /> They forwards using tcp:9997 and my receiver is also listening from UDP:514 and receiving from forwarders.</P> <P>Each forwarders is sending to a specific index. Now i wants to override sourcetype with a regex.</P> <P>It's easier for me to make search with this configuration, like index=X sourcetype=Y where X is the index from my forwarder (that's part work fine) and Y is the constructor of the device sending logs.</P> Mon, 09 Dec 2013 08:37:23 GMT ddarmand 2013-12-09T08:37:23Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-overide-with-a-forwarder/m-p/171595#M34630 <P>Hello everyone,</P> <P>I want to override the sourcetype of my logs with a regex (i know how to do this part)<BR /> but i have some issue to know how to override the sourcetype from logs received from a forwarder.</P> <P>I don't know if i have to modify the props.conf and transforms.conf on the forwarder or on the receiver or if i can do both and specify a thing like [source::tcp:9997] </P> <P>Can you help me please ?</P> Mon, 09 Dec 2013 08:06:48 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-overide-with-a-forwarder/m-p/171595#M34630 ddarmand 2013-12-09T08:06:48Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-overide-with-a-forwarder/m-p/171596#M34631 <P>I think you need to provide more details regarding your use case, but the <CODE>source</CODE> field of events received from a forwarder will not be <CODE>[tcp:9997]</CODE>, but rather the path to, and name of, the file that was read by the forwarder. If it is a scripted input, then the name of the script.</P> <P>This is unlike a Splunk indexer listening to syslog traffic directly, where the <CODE>source</CODE> would be <CODE>[udp:514]</CODE></P> <P>/K</P> Mon, 09 Dec 2013 08:24:00 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-overide-with-a-forwarder/m-p/171596#M34631 kristian_kolb 2013-12-09T08:24:00Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-overide-with-a-forwarder/m-p/171597#M34632 <P>i have 3 forwarders, they each receive udp:514. They have nothing installed on them and are heavy forwarder.<BR /> They forwards using tcp:9997 and my receiver is also listening from UDP:514 and receiving from forwarders.</P> <P>Each forwarders is sending to a specific index. Now i wants to override sourcetype with a regex.</P> <P>It's easier for me to make search with this configuration, like index=X sourcetype=Y where X is the index from my forwarder (that's part work fine) and Y is the constructor of the device sending logs.</P> Mon, 09 Dec 2013 08:37:23 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-overide-with-a-forwarder/m-p/171597#M34632 ddarmand 2013-12-09T08:37:23Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-overide-with-a-forwarder/m-p/171598#M34633 <P>Well, you'll have to look at events that you <EM>know</EM> are coming from a forwarder, and take the value of the <CODE>source</CODE>, and run it through a transform. However, if this value is <CODE>udp:514</CODE>, you might catch too many events in your transform, if your indexer is also listening on incoming syslog traffic.</P> <P>However, if the forwarders are indeed Heavy Forwarders, then you can set up the tranforming there, hopefully being able to only catch the 'correct' events.</P> Mon, 09 Dec 2013 11:46:48 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-overide-with-a-forwarder/m-p/171598#M34633 kristian_kolb 2013-12-09T11:46:48Z