<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: dynamic sourcetype extraction problems in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/dynamic-sourcetype-extraction-problems/m-p/35353#M6422</link>
    <description>&lt;P&gt;I believe that the problem lies with this configuration parameter :&lt;/P&gt;

&lt;P&gt;"&lt;CODE&gt;SOURCE_KEY = source&lt;/CODE&gt;".&lt;/P&gt;

&lt;P&gt;From &lt;A href="http://www.splunk.com/base/Documentation/latest/Admin/Transformsconf"&gt;transforms.conf.spec&lt;/A&gt; :&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;&lt;/CODE&gt;&lt;PRE&gt;&lt;CODE&gt;SOURCE_KEY = &amp;lt;string&amp;gt;&lt;BR /&gt;
 * NOTE: This attribute is valid for both index-time and search-time field extractions.&lt;BR /&gt;
 * &lt;STRONG&gt;Optional. Defines the KEY that Splunk applies the REGEX to.&lt;/STRONG&gt;&lt;BR /&gt;
 * For search time extractions, you can use this attribute to extract one or more values from &lt;BR /&gt;
  the values of another field. You can use any field that is available at the time of the &lt;BR /&gt;
  execution of this field extraction.&lt;BR /&gt;
 * For index-time extractions use the KEYs described at the bottom of this file. &lt;BR /&gt;
 * KEYs are case-sensitive, and should be used exactly as they appear in the KEYs list at&lt;BR /&gt;
  the bottom of this file. (For example, you would say SOURCE_KEY = MetaData:Host, &lt;EM&gt;not&lt;/EM&gt; &lt;BR /&gt;
  SOURCE_KEY = metadata:host .)&lt;BR /&gt;
 * SOURCE_KEY is typically used in conjunction with REPEAT_MATCH in index-time field &lt;BR /&gt;
  transforms.&lt;BR /&gt;
 * &lt;STRONG&gt;Defaults to _raw, which means it is applied to the raw, unprocessed text of all events.&lt;/STRONG&gt;&lt;/CODE&gt;&lt;/PRE&gt;&lt;/P&gt;

&lt;P&gt;The string "&lt;CODE&gt;source&lt;/CODE&gt;" is an invalid value for &lt;CODE&gt;SOURCE_KEY&lt;/CODE&gt;. I am assuming that your goal is to extract the value to assign to the "&lt;CODE&gt;sourcetype&lt;/CODE&gt;" from the body of your events.&lt;/P&gt;

&lt;P&gt;In that case, you should remove the "&lt;CODE&gt;SOURCE_KEY = source&lt;/CODE&gt;" parameter altogether, which will result in Splunk applying your &lt;CODE&gt;REGEX&lt;/CODE&gt; to the body of the event (the "&lt;CODE&gt;_raw&lt;/CODE&gt;" field).&lt;/P&gt;</description>
    <pubDate>Tue, 28 Jun 2011 03:29:37 GMT</pubDate>
    <dc:creator>hexx</dc:creator>
    <dc:date>2011-06-28T03:29:37Z</dc:date>
    <item>
      <title>dynamic sourcetype extraction problems</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/dynamic-sourcetype-extraction-problems/m-p/35351#M6420</link>
      <description>&lt;P&gt;Hi all,&lt;BR /&gt;
I am trying to setup dynamic sourcetype extraction, but no luck. &lt;/P&gt;

&lt;P&gt;sample message has json:&lt;BR /&gt;
{"id":"someid","type":"action"}&lt;/P&gt;

&lt;P&gt;This is my config:&lt;/P&gt;

&lt;P&gt;inputs.conf:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;&lt;BR /&gt;
[tcp://9001]&lt;BR /&gt;
connection_host = none&lt;BR /&gt;
source=platform&lt;BR /&gt;
&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;props.conf:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;&lt;BR /&gt;
[source::platform]&lt;BR /&gt;
TRANSFORMS-sourcetype = platform-st&lt;BR /&gt;
&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;transofrms.conf:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;&lt;BR /&gt;
[platform-st]&lt;BR /&gt;
SOURCE_KEY = source&lt;BR /&gt;
DEST_KEY = MetaData:Sourcetype&lt;BR /&gt;
REGEX = \"type\":\"([^\"]+)\"&lt;BR /&gt;
FORMAT = sourcetype::$1&lt;BR /&gt;
&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;Thank you&lt;/P&gt;</description>
      <pubDate>Tue, 28 Jun 2011 02:02:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/dynamic-sourcetype-extraction-problems/m-p/35351#M6420</guid>
      <dc:creator>Ultracpp</dc:creator>
      <dc:date>2011-06-28T02:02:36Z</dc:date>
    </item>
    <item>
      <title>Re: dynamic sourcetype extraction problems</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/dynamic-sourcetype-extraction-problems/m-p/35352#M6421</link>
      <description>&lt;P&gt;You should not specify &lt;CODE&gt;SOURCE_KEY = source&lt;/CODE&gt;. Presumably, you want to run the regex against the raw data, not the &lt;CODE&gt;source&lt;/CODE&gt; field.&lt;/P&gt;</description>
      <pubDate>Tue, 28 Jun 2011 03:15:27 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/dynamic-sourcetype-extraction-problems/m-p/35352#M6421</guid>
      <dc:creator>gkanapathy</dc:creator>
      <dc:date>2011-06-28T03:15:27Z</dc:date>
    </item>
    <item>
      <title>Re: dynamic sourcetype extraction problems</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/dynamic-sourcetype-extraction-problems/m-p/35353#M6422</link>
      <description>&lt;P&gt;I believe that the problem lies with this configuration parameter :&lt;/P&gt;

&lt;P&gt;"&lt;CODE&gt;SOURCE_KEY = source&lt;/CODE&gt;".&lt;/P&gt;

&lt;P&gt;From &lt;A href="http://www.splunk.com/base/Documentation/latest/Admin/Transformsconf"&gt;transforms.conf.spec&lt;/A&gt; :&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;&lt;/CODE&gt;&lt;PRE&gt;&lt;CODE&gt;SOURCE_KEY = &amp;lt;string&amp;gt;&lt;BR /&gt;
 * NOTE: This attribute is valid for both index-time and search-time field extractions.&lt;BR /&gt;
 * &lt;STRONG&gt;Optional. Defines the KEY that Splunk applies the REGEX to.&lt;/STRONG&gt;&lt;BR /&gt;
 * For search time extractions, you can use this attribute to extract one or more values from &lt;BR /&gt;
  the values of another field. You can use any field that is available at the time of the &lt;BR /&gt;
  execution of this field extraction.&lt;BR /&gt;
 * For index-time extractions use the KEYs described at the bottom of this file. &lt;BR /&gt;
 * KEYs are case-sensitive, and should be used exactly as they appear in the KEYs list at&lt;BR /&gt;
  the bottom of this file. (For example, you would say SOURCE_KEY = MetaData:Host, &lt;EM&gt;not&lt;/EM&gt; &lt;BR /&gt;
  SOURCE_KEY = metadata:host .)&lt;BR /&gt;
 * SOURCE_KEY is typically used in conjunction with REPEAT_MATCH in index-time field &lt;BR /&gt;
  transforms.&lt;BR /&gt;
 * &lt;STRONG&gt;Defaults to _raw, which means it is applied to the raw, unprocessed text of all events.&lt;/STRONG&gt;&lt;/CODE&gt;&lt;/PRE&gt;&lt;/P&gt;

&lt;P&gt;The string "&lt;CODE&gt;source&lt;/CODE&gt;" is an invalid value for &lt;CODE&gt;SOURCE_KEY&lt;/CODE&gt;. I am assuming that your goal is to extract the value to assign to the "&lt;CODE&gt;sourcetype&lt;/CODE&gt;" from the body of your events.&lt;/P&gt;

&lt;P&gt;In that case, you should remove the "&lt;CODE&gt;SOURCE_KEY = source&lt;/CODE&gt;" parameter altogether, which will result in Splunk applying your &lt;CODE&gt;REGEX&lt;/CODE&gt; to the body of the event (the "&lt;CODE&gt;_raw&lt;/CODE&gt;" field).&lt;/P&gt;</description>
      <pubDate>Tue, 28 Jun 2011 03:29:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/dynamic-sourcetype-extraction-problems/m-p/35353#M6422</guid>
      <dc:creator>hexx</dc:creator>
      <dc:date>2011-06-28T03:29:37Z</dc:date>
    </item>
  </channel>
</rss>

