https://community.splunk.com/t5/Getting-Data-In/configuring-sourcetype-with-props-transforms-and-inputs/m-p/26343#M4342 <P>There are two issues here:</P> <OL> <LI>In props.conf, an index time transformation should be <CODE>TRANSFORMS-iptables = iptables</CODE> as opposed to <CODE>REPORT-</CODE>.</LI> <LI>In transforms.conf, the correct DEST_KEY, according to <CODE>$SPLUNK_HOME/etc/system/README/transforms.conf.spec</CODE> is <CODE>MetaData:Sourcetype</CODE>.</LI> </OL> Mon, 09 Aug 2010 01:18:38 GMT Stephen_Sorkin 2010-08-09T01:18:38Z https://community.splunk.com/t5/Getting-Data-In/configuring-sourcetype-with-props-transforms-and-inputs/m-p/26342#M4341 <P>hello everyone,</P> <P>I know there are many similar posts to this, and i have read a lot but i cant seem to get it to work. </P> <P>I am trying to manually change the sourcetype. I have a LWF and a indexer. im trying to change my iptables logs sourcetype to "iptables". i've tried several different things. I probably have several things wrong, if someone could point me in the right direction or tell me exactly what to do that would be great. here is some stuff I have at the moment. </P> <P>on my LWF: </P> <PRE><CODE>inputs.conf: [monitor:///var/log/kern.log] sourcetype = test [monitor:///var/log/syslog] sourcetype = test </CODE></PRE> <P>on my indexer:</P> <PRE><CODE>props.conf: [test] REPORT-iptables = iptables </CODE></PRE> <P>-also tried TRANSFORMS</P> <PRE><CODE>transforms.conf: [iptables] DEST_KEY = MetaData:sourcetype REGEX = \bIN\w*\b.*\bTCP\b FORMAT = sourcetype::sourcetype </CODE></PRE> <P>all my iptables logs have either INBOUND TCP or INPUT TCP, im trying to use an easy regex, as i havent used it before.</P> <P>here is an example of a log:</P> <PRE><CODE>Aug 6 10:50:03 VM2 kernel: [ 9468.989438] INBOUND TCP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:c0:00:08:08:00 SRC=192.168.232.1 DST=192.168.232.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=UDP SPT=138 DPT=138 LEN=209 </CODE></PRE> <P>if there is something i didn't post that would be helpful let me know.</P> <P>Thanks!</P> Sat, 07 Aug 2010 00:57:57 GMT https://community.splunk.com/t5/Getting-Data-In/configuring-sourcetype-with-props-transforms-and-inputs/m-p/26342#M4341 woodchuck 2010-08-07T00:57:57Z https://community.splunk.com/t5/Getting-Data-In/configuring-sourcetype-with-props-transforms-and-inputs/m-p/26343#M4342 <P>There are two issues here:</P> <OL> <LI>In props.conf, an index time transformation should be <CODE>TRANSFORMS-iptables = iptables</CODE> as opposed to <CODE>REPORT-</CODE>.</LI> <LI>In transforms.conf, the correct DEST_KEY, according to <CODE>$SPLUNK_HOME/etc/system/README/transforms.conf.spec</CODE> is <CODE>MetaData:Sourcetype</CODE>.</LI> </OL> Mon, 09 Aug 2010 01:18:38 GMT https://community.splunk.com/t5/Getting-Data-In/configuring-sourcetype-with-props-transforms-and-inputs/m-p/26343#M4342 Stephen_Sorkin 2010-08-09T01:18:38Z https://community.splunk.com/t5/Getting-Data-In/configuring-sourcetype-with-props-transforms-and-inputs/m-p/26344#M4343 <P>thanks, its seems to work now!</P> Tue, 10 Aug 2010 04:19:03 GMT https://community.splunk.com/t5/Getting-Data-In/configuring-sourcetype-with-props-transforms-and-inputs/m-p/26344#M4343 woodchuck 2010-08-10T04:19:03Z