<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Change Index and Sourcetype in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Change-Index-and-Sourcetype/m-p/395105#M70490</link>
    <description>&lt;P&gt;Your index rewrite transform looks OK to me, but you've made a typo in the sourcetype changing section - it should be &lt;CODE&gt;MetaData:Sourcetype&lt;/CODE&gt; (which capital D), not &lt;CODE&gt;Metadata:Sourcetype&lt;/CODE&gt;.&lt;/P&gt;

&lt;P&gt;To make things easier to debug you could/should also combine the TRANSFORMS statements into one so you can see more clearly which order they're applied in.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;TRANSFORMS-changestuff = notfound, setsourcetype
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Tue, 19 Jun 2018 06:50:37 GMT</pubDate>
    <dc:creator>Ayn</dc:creator>
    <dc:date>2018-06-19T06:50:37Z</dc:date>
    <item>
      <title>Change Index and Sourcetype</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Change-Index-and-Sourcetype/m-p/395104#M70489</link>
      <description>&lt;P&gt;I have set of data, where I want to send events with a 404 error code to a different index as well as after processing the records, I want to set a final, different sourcetype. Neither are working. Please advise...&lt;/P&gt;
&lt;P&gt;props.conf:&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;[weblogs]
SHOULD_LINEMERGE = false
LINE_BREAKER = (&amp;amp;&amp;amp;&amp;amp;)(?=\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
TRANSFORMS-1 = notfound
TRANSFORMS-2 = setsourcetype
disabled = false
&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;transforms.conf:&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;[notfound]
REGEX = 404
DEST_KEY = _MetaData:Index
FORMAT = notfoundindex

[setsourcetype]
SOURCE_KEY = _raw
REGEX = ^.
DEST_KEY = Metadata:Sourcetype
FORMAT = sourcetype::access_combined
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Sun, 07 Jun 2020 01:32:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Change-Index-and-Sourcetype/m-p/395104#M70489</guid>
      <dc:creator>jpcontrerasadit</dc:creator>
      <dc:date>2020-06-07T01:32:17Z</dc:date>
    </item>
    <item>
      <title>Re: Change Index and Sourcetype</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Change-Index-and-Sourcetype/m-p/395105#M70490</link>
      <description>&lt;P&gt;Your index rewrite transform looks OK to me, but you've made a typo in the sourcetype changing section - it should be &lt;CODE&gt;MetaData:Sourcetype&lt;/CODE&gt; (which capital D), not &lt;CODE&gt;Metadata:Sourcetype&lt;/CODE&gt;.&lt;/P&gt;

&lt;P&gt;To make things easier to debug you could/should also combine the TRANSFORMS statements into one so you can see more clearly which order they're applied in.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;TRANSFORMS-changestuff = notfound, setsourcetype
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 19 Jun 2018 06:50:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Change-Index-and-Sourcetype/m-p/395105#M70490</guid>
      <dc:creator>Ayn</dc:creator>
      <dc:date>2018-06-19T06:50:37Z</dc:date>
    </item>
    <item>
      <title>Re: Change Index and Sourcetype</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Change-Index-and-Sourcetype/m-p/395106#M70491</link>
      <description>&lt;P&gt;Hi @jpcontrerasaditum - I am also trying to manipulate a weblog with nearly 36k events and exactly same requirements which is :&lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;line break at &amp;amp;&amp;amp;&amp;amp;, then &lt;/LI&gt;
&lt;LI&gt;send 404 status code events to notfoundindex and &lt;/LI&gt;
&lt;LI&gt;reassigning all the events to access_combined sourcetype.&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;But it doesnt seem to work with the entire log file.  So i tries with 10 events only and was able to achieve 1. but not 2. and 3. I get the following error :&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;truncating at 10000 bytes because size exceeded splunk with a line length &amp;gt;= 15512&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;I tried truncate =  50000 &amp;amp; truncate = 0 but that makes splunk unresponsive. &lt;/P&gt;

&lt;P&gt;So were you able to resolve the issue ?  Appreciate if you could help.&lt;/P&gt;</description>
      <pubDate>Sat, 08 Feb 2020 09:24:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Change-Index-and-Sourcetype/m-p/395106#M70491</guid>
      <dc:creator>navidnaddimulla</dc:creator>
      <dc:date>2020-02-08T09:24:49Z</dc:date>
    </item>
    <item>
      <title>Re: Change Index and Sourcetype</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Change-Index-and-Sourcetype/m-p/395107#M70492</link>
      <description>&lt;P&gt;Hi @Ayn - I am also trying to manipulate a weblog with nearly 36k events and exactly same requirements which is :&lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;line break at &amp;amp;&amp;amp;&amp;amp;, then &lt;/LI&gt;
&lt;LI&gt;send 404 status code events to notfoundindex and &lt;/LI&gt;
&lt;LI&gt;reassigning all the events to access_combined sourcetype.&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;But it doesnt seem to work with the entire log file.  So i tries with 10 events only and was able to achieve 1. but not 2. and 3. I get the following error :&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;truncating at 10000 bytes because size exceeded splunk with a line length &amp;gt;= 15512&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;I tried truncate =  50000 &amp;amp; truncate = 0 but that makes splunk unresponsive. &lt;/P&gt;

&lt;P&gt;So were you able to resolve the issue ?  Appreciate if you could help.&lt;/P&gt;</description>
      <pubDate>Sat, 08 Feb 2020 09:25:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Change-Index-and-Sourcetype/m-p/395107#M70492</guid>
      <dc:creator>navidnaddimulla</dc:creator>
      <dc:date>2020-02-08T09:25:44Z</dc:date>
    </item>
    <item>
      <title>Re: Change Index and Sourcetype</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Change-Index-and-Sourcetype/m-p/395108#M70493</link>
      <description>&lt;P&gt;For line-breaking use the regex as (&amp;amp;&amp;amp;&amp;amp;)&lt;BR /&gt;
In props.give Max events as 40000&lt;BR /&gt;
Truncate as 20000(check the max using len function and adjust).&lt;/P&gt;

&lt;P&gt;Create a new index named notfoundindex (Settings--&amp;gt;Index)&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; [props.conf]
REGEX = (\&amp;amp;\&amp;amp;\&amp;amp;)
 MAX_EVENTS = 40000
TRUNCATE = 20000

TRANSFORMS-01-notfound = notfound
TRANSFORMS-02-setsourcetype= setsourcetype

transforms.conf
[notfound]
REGEX = .*404.*
DEST_KEY = _MetaData:Index
FORMAT = notfoundindex

 [setsourcetype]
SOURCE_KEY = _raw
REGEX = .*
DEST_KEY = Metadata:Sourcetype
FORMAT = sourcetype::access_combined
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Mon, 25 May 2020 23:34:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Change-Index-and-Sourcetype/m-p/395108#M70493</guid>
      <dc:creator>dindu</dc:creator>
      <dc:date>2020-05-25T23:34:41Z</dc:date>
    </item>
    <item>
      <title>Re: Change Index and Sourcetype</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Change-Index-and-Sourcetype/m-p/532342#M89501</link>
      <description>&lt;P&gt;first: one minor change to the REGEX for the 404 status events:&amp;nbsp;&lt;/P&gt;&lt;P&gt;if you use REGEX =&amp;nbsp;&lt;/P&gt;&lt;PRE&gt;.*404.*&lt;/PRE&gt;&lt;P&gt;it takes up events that have maybe a status 200 followed by 404 also. To prevent this you could use this REGEX instead:&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;"\s404\s&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;that way it only takes the first number after a quotation mark and a blank space&lt;/P&gt;&lt;P&gt;also if you try to change the index AND the sourcetype for one input you might run into problems since splunk could potentially first address the new sourcetype and then try to send events into new indexes given the regex above. BUT when this happens they are already sourcetype=access_combined and not weblog anymore so it won't work or only one of those transforms.&amp;nbsp;&lt;/P&gt;&lt;P&gt;the solution is as follows:&amp;nbsp;&lt;/P&gt;&lt;P&gt;in props.conf your stanza shouldn't address the sourcetype "weblog" but rather the source from which your data originates.&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[source::access_combined_no_breaks.log]&lt;/LI-CODE&gt;&lt;P&gt;this way it doesn't matter what happens first with your data cause the source will always stay the same.&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;hope this helps anyone who might run into the same problems. if so, pls consider thumbs up &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 08 Dec 2020 15:04:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Change-Index-and-Sourcetype/m-p/532342#M89501</guid>
      <dc:creator>avoelk</dc:creator>
      <dc:date>2020-12-08T15:04:41Z</dc:date>
    </item>
  </channel>
</rss>

