https://community.splunk.com/t5/Getting-Data-In/Cannot-overwrite-sourcetype-and-source-from-raw/m-p/28936#M4980 <P>Splunk is treating the data in _raw as one large string. Instead of using the "^" with the regexes, try using "\n", so:</P> <P>[setSourceType]<BR /> SOURCE_KEY = __raw<BR /><BR /> DEST_KEY = MetaData:Sourcetype<BR /><BR /> REGEX = \nsourcetype=(.*)$<BR /><BR /> FORMAT = sourcetype::$1</P> Mon, 28 Sep 2020 09:40:53 GMT dshpritz 2020-09-28T09:40:53Z https://community.splunk.com/t5/Getting-Data-In/Cannot-overwrite-sourcetype-and-source-from-raw/m-p/28935#M4979 <P>Hi All, </P> <P>I'm having a transforms.conf and props.conf override issue. </P> <P>inputs.conf:<BR /><BR /> [tcp://10000]<BR /><BR /> connection_host = dns<BR /><BR /> index = myindex<BR /></P> <P>props.conf: <BR /><BR /> [source::tcp:10000]<BR /><BR /> MAX_EVENTS = 10000<BR /><BR /> TRUNCATE = 100000<BR /><BR /> BREAK_ONLY_BEFORE = ^host<BR /><BR /> TRANSFORMS-all=setHost, setSource, setSourceType<BR /></P> <P>transforms.conf: <BR /><BR /> [setHost]<BR /><BR /> DEST_KEY = MetaData:Host<BR /><BR /> REGEX = ^host=([a-z0-9-]+)$<BR /><BR /> FORMAT = host::$1<BR /></P> <P>[setSource]<BR /><BR /> SOURCE_KEY = _raw<BR /><BR /> DEST_KEY = MetaData:Source<BR /><BR /> REGEX = ^source=(.*)$<BR /><BR /> FORMAT = source::$1<BR /></P> <P>[setSourceType]<BR /><BR /> SOURCE_KEY = _raw<BR /><BR /> DEST_KEY = MetaData:Sourcetype<BR /><BR /> REGEX = ^sourcetype=(.*)$<BR /><BR /> FORMAT = sourcetype::$1<BR /></P> <P>So, the transformation setHost gets applied, but setSource and setSourceType doesnt. </P> <P>Any ideas? </P> <P>data is being sent via tcpsocket and a sample is like so: <BR /><BR /> host=test-devdb01<BR /><BR /> sourcetype=SESSIONS<BR /><BR /> source=myscript.sh<BR /><BR /> test-devdb01|itmscmd|SESSIONS|ACTIVE=1<BR /><BR /> test-devdb01|itmscmd|SESSIONS|ACTIVE=1<BR /><BR /> test-devdb01|itmscmd|SESSIONS|ACTIVE=1<BR /><BR /> test-devdb01|itmscmd|SESSIONS|ACTIVE=1<BR /><BR /> test-devdb01|itmscmd|SESSIONS|ACTIVE=1<BR /><BR /> test-devdb01|itmscmd|SESSIONS|ACTIVE=1<BR /><BR /> host=test-devdb01 Options| sourcetype=tcp-raw Options| source=tcp:1567 Options</P> Mon, 28 Sep 2020 09:40:50 GMT https://community.splunk.com/t5/Getting-Data-In/Cannot-overwrite-sourcetype-and-source-from-raw/m-p/28935#M4979 seanwong 2020-09-28T09:40:50Z https://community.splunk.com/t5/Getting-Data-In/Cannot-overwrite-sourcetype-and-source-from-raw/m-p/28936#M4980 <P>Splunk is treating the data in _raw as one large string. Instead of using the "^" with the regexes, try using "\n", so:</P> <P>[setSourceType]<BR /> SOURCE_KEY = __raw<BR /><BR /> DEST_KEY = MetaData:Sourcetype<BR /><BR /> REGEX = \nsourcetype=(.*)$<BR /><BR /> FORMAT = sourcetype::$1</P> Mon, 28 Sep 2020 09:40:53 GMT https://community.splunk.com/t5/Getting-Data-In/Cannot-overwrite-sourcetype-and-source-from-raw/m-p/28936#M4980 dshpritz 2020-09-28T09:40:53Z https://community.splunk.com/t5/Getting-Data-In/Cannot-overwrite-sourcetype-and-source-from-raw/m-p/28937#M4981 <P>With the explanation of it being treated as one large string, i then assumed splunk might treating it as a literal string '<STRING>'. <BR /></STRING></P> <P>Just in case the greedy quantifier of * was eating too much, i also modified my regex to be:<BR /><BR /> REGEX = \nsource=([a-zA-Z0-9-.]+)<BR /></P> <P>Thanks dshpritz!</P> Thu, 16 Jun 2011 02:39:36 GMT https://community.splunk.com/t5/Getting-Data-In/Cannot-overwrite-sourcetype-and-source-from-raw/m-p/28937#M4981 seanwong 2011-06-16T02:39:36Z