https://community.splunk.com/t5/Getting-Data-In/Using-setnull-and-setparsing-for-two-different-sourcetypes/m-p/404738#M71834 <P>Hello Everyone,</P> <P>We have following props.conf</P> <P>[<STRONG>sourcetypeA</STRONG>]<BR /> KV_MODE = json<BR /> SHOULD_LINEMERGE = false<BR /> TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3Q%Z<BR /> TRUNCATE = 0<BR /> LINE_BREAKER = ([\n\r]+){<BR /> TIME_PREFIX = (\"timestamp\"[^\"]+\")<BR /> TRANSFORMS-set = <STRONG>setnull,setparsing</STRONG></P> <P>and transforms.conf:</P> <P>[<STRONG>setnull</STRONG>]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[<STRONG>setparsing</STRONG>]<BR /> REGEX = Regex1<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>Using this configuration we are getting filtered data in splunk and it is working as expected.</P> <P>No we have a requirement where we want to apply similar settings to another sourcetype say sourcetypeB with having different regex for [setparsing].</P> <P>I have updated the props.conf as </P> <P>[<STRONG>sourcetypeA</STRONG>]<BR /> KV_MODE = json<BR /> SHOULD_LINEMERGE = false<BR /> TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3Q%Z<BR /> TRUNCATE = 0<BR /> LINE_BREAKER = ([\n\r]+){<BR /> TIME_PREFIX = (\"timestamp\"[^\"]+\")<BR /> TRANSFORMS-set = <STRONG>setnull</STRONG>,<STRONG>setparsing</STRONG></P> <P>[<STRONG>sourcetypeB</STRONG>]<BR /> KV_MODE = json<BR /> SHOULD_LINEMERGE = false<BR /> TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3Q%Z<BR /> TRUNCATE = 0<BR /> LINE_BREAKER = ([\n\r]+){<BR /> TIME_PREFIX = (\"timestamp\"[^\"]+\")<BR /> TRANSFORMS-set = <STRONG>setnull</STRONG>,<STRONG>setparsing1</STRONG></P> <P>Transforms.conf has been modified as:</P> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[setparsing]<BR /> REGEX = <STRONG>Regex1</STRONG><BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>[setparsing1]<BR /> REGEX = <STRONG>Regex2</STRONG><BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>After applying these setting I see data only getting indexed for SourcetypeB and no data for SourcetypeA.</P> <P>Could anyone please help what do i need to change to get data for both sourcetypes A and B. I have tried multiple combinations but only getting data for one sourcetype at one time</P> <P>Regards,<BR /> Inderjot</P> Wed, 30 Sep 2020 00:04:32 GMT inderjot_rasila 2020-09-30T00:04:32Z https://community.splunk.com/t5/Getting-Data-In/Using-setnull-and-setparsing-for-two-different-sourcetypes/m-p/404738#M71834 <P>Hello Everyone,</P> <P>We have following props.conf</P> <P>[<STRONG>sourcetypeA</STRONG>]<BR /> KV_MODE = json<BR /> SHOULD_LINEMERGE = false<BR /> TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3Q%Z<BR /> TRUNCATE = 0<BR /> LINE_BREAKER = ([\n\r]+){<BR /> TIME_PREFIX = (\"timestamp\"[^\"]+\")<BR /> TRANSFORMS-set = <STRONG>setnull,setparsing</STRONG></P> <P>and transforms.conf:</P> <P>[<STRONG>setnull</STRONG>]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[<STRONG>setparsing</STRONG>]<BR /> REGEX = Regex1<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>Using this configuration we are getting filtered data in splunk and it is working as expected.</P> <P>No we have a requirement where we want to apply similar settings to another sourcetype say sourcetypeB with having different regex for [setparsing].</P> <P>I have updated the props.conf as </P> <P>[<STRONG>sourcetypeA</STRONG>]<BR /> KV_MODE = json<BR /> SHOULD_LINEMERGE = false<BR /> TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3Q%Z<BR /> TRUNCATE = 0<BR /> LINE_BREAKER = ([\n\r]+){<BR /> TIME_PREFIX = (\"timestamp\"[^\"]+\")<BR /> TRANSFORMS-set = <STRONG>setnull</STRONG>,<STRONG>setparsing</STRONG></P> <P>[<STRONG>sourcetypeB</STRONG>]<BR /> KV_MODE = json<BR /> SHOULD_LINEMERGE = false<BR /> TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3Q%Z<BR /> TRUNCATE = 0<BR /> LINE_BREAKER = ([\n\r]+){<BR /> TIME_PREFIX = (\"timestamp\"[^\"]+\")<BR /> TRANSFORMS-set = <STRONG>setnull</STRONG>,<STRONG>setparsing1</STRONG></P> <P>Transforms.conf has been modified as:</P> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[setparsing]<BR /> REGEX = <STRONG>Regex1</STRONG><BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>[setparsing1]<BR /> REGEX = <STRONG>Regex2</STRONG><BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>After applying these setting I see data only getting indexed for SourcetypeB and no data for SourcetypeA.</P> <P>Could anyone please help what do i need to change to get data for both sourcetypes A and B. I have tried multiple combinations but only getting data for one sourcetype at one time</P> <P>Regards,<BR /> Inderjot</P> Wed, 30 Sep 2020 00:04:32 GMT https://community.splunk.com/t5/Getting-Data-In/Using-setnull-and-setparsing-for-two-different-sourcetypes/m-p/404738#M71834 inderjot_rasila 2020-09-30T00:04:32Z https://community.splunk.com/t5/Getting-Data-In/Using-setnull-and-setparsing-for-two-different-sourcetypes/m-p/404739#M71835 <P>The only thing that makes sense is that your <CODE>Rregex1</CODE> is incorrect and never matches.</P> Thu, 11 Apr 2019 00:09:53 GMT https://community.splunk.com/t5/Getting-Data-In/Using-setnull-and-setparsing-for-two-different-sourcetypes/m-p/404739#M71835 woodcock 2019-04-11T00:09:53Z https://community.splunk.com/t5/Getting-Data-In/Using-setnull-and-setparsing-for-two-different-sourcetypes/m-p/404740#M71836 <P>Regex1 is just a sample here we have actual application name which matches but only data from one sourcetype gets ingested at once</P> Thu, 11 Apr 2019 17:21:42 GMT https://community.splunk.com/t5/Getting-Data-In/Using-setnull-and-setparsing-for-two-different-sourcetypes/m-p/404740#M71836 inderjot_rasila 2019-04-11T17:21:42Z https://community.splunk.com/t5/Getting-Data-In/Using-setnull-and-setparsing-for-two-different-sourcetypes/m-p/404741#M71837 <P>The only thing I can think to try would be to have two totally different, yet exactly the same <CODE>'setnull'</CODE> stanzas in transforms.conf &gt; <CODE>setnullA</CODE> for <CODE>sourcetypeA</CODE> and <CODE>setnullB</CODE> for <CODE>sourcetypeB</CODE> each with their own <CODE>'setparsing'</CODE> as you have done already.</P> Thu, 30 May 2019 19:40:44 GMT https://community.splunk.com/t5/Getting-Data-In/Using-setnull-and-setparsing-for-two-different-sourcetypes/m-p/404741#M71837 gurlest 2019-05-30T19:40:44Z