https://community.splunk.com/t5/Getting-Data-In/Transforming-events-twice/m-p/35827#M6519 <P>The reason for doing it is that syslog data are not only one type: firewall, routers, linux servers and so on. So, in this particular case, you cannot set the sourcetype and index at the input.</P> Thu, 15 Aug 2013 21:18:09 GMT OL 2013-08-15T21:18:09Z https://community.splunk.com/t5/Getting-Data-In/Transforming-events-twice/m-p/35824#M6516 <P>Hello all,</P> <P>Would anyone know if there is a way to apply a transform twice on two different sourcetype. Explanation: events are received with sourcetype syslog. I use a "transforms" on sourcetype syslog to change the sourcetype of some events to firewall_syslog. I then would like to change the index of the events with sourcetype firewall_syslog to index=firewall. The first transform is being applied, but not the second one. Here is how I do it:</P> <P>props.conf</P> <PRE><CODE>[syslog] TRANSFORMS-01 = sourcetype2fw [firewall_syslog] TRANSFORMS-02 = index2fw </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[sourcetype2fw] REGEX = 10.12.14.* DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::firewall_syslog [index2fw] REGEX = . DEST_KEY = _MetaData:Index FORMAT = index::firewall </CODE></PRE> <P>I know that I could use the second transform in the syslog sourcetype and this is working, but this would imply that we need to run the same REGEX twice (once for the change of sourcetype and once for the change of index). The way I thought and which doesn't seem to work would run the REGEX only once (on ethe sourcetype) when the second REGEX would accept everything.</P> <P>Any idea?</P> <P>Regards,<BR /> Olivier</P> Mon, 28 Sep 2020 14:34:47 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-events-twice/m-p/35824#M6516 OL 2020-09-28T14:34:47Z https://community.splunk.com/t5/Getting-Data-In/Transforming-events-twice/m-p/35825#M6517 <P>Why would you do it this way when you can just assign the correct sourcetype and index to the input source?</P> Thu, 15 Aug 2013 20:25:50 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-events-twice/m-p/35825#M6517 starcher 2013-08-15T20:25:50Z https://community.splunk.com/t5/Getting-Data-In/Transforming-events-twice/m-p/35826#M6518 <P>Question are you picking your syslog data from a flat file or UDP stream? Is every syslog entry being sent to one syslog?</P> Thu, 15 Aug 2013 21:02:59 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-events-twice/m-p/35826#M6518 bmacias84 2013-08-15T21:02:59Z https://community.splunk.com/t5/Getting-Data-In/Transforming-events-twice/m-p/35827#M6519 <P>The reason for doing it is that syslog data are not only one type: firewall, routers, linux servers and so on. So, in this particular case, you cannot set the sourcetype and index at the input.</P> Thu, 15 Aug 2013 21:18:09 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-events-twice/m-p/35827#M6519 OL 2013-08-15T21:18:09Z https://community.splunk.com/t5/Getting-Data-In/Transforming-events-twice/m-p/35828#M6520 <P>You must be pulling all syslog into a network input on your indexer. Best practice is to bring syslog to a receiver like a syslog-ng box. Use the universal forwarder to pick up. If you have the logs write to a folder by host you can assign pickup by each folder specifying index and sourcetype. This also means when you add indexers later you can leverage autoLB (load balance) on the forwarder.</P> Fri, 16 Aug 2013 10:55:37 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-events-twice/m-p/35828#M6520 starcher 2013-08-16T10:55:37Z