topic Re: override source field to a common source using transform.conf and props.conf in Getting Data In

override source field to a common source using transform.conf and props.conf

meet_vadaria — Tue, 29 Sep 2020 22:19:01 GMT

I want to have a common source field for all my syslog. I have centralized syslog server where I am running splunkforwarder to send all remote hosts logs to splunk.

currently source filed is default which is "/var/log/syslog/%year%/%month%/%date%/%host%/syslog"
what I want is "/var/log/syslog" - I want this static for all logs. how to do this with transforms.conf and props.conf

I know I can do it in input.conf by just mentioning source="/var/log/syslog". I tried that and it works but it's breaking host field. I am overriding host field using host_segment in input.conf. so if I put static source there it breaks host_segment and splunk can't parse host.

current configs,

transform.conf
[source]
FORMAT = source::/var/log/syslog
SOURCE_KEY=MetaData:Source
DEST_KEY = MetaData:Source

props.conf
[sourceoverride]
TRANSFORMS-source = source
SHOULD_LINEMERGE = false

input.conf
[monitor:///var/log/rsyslog/////syslog]
disabled = false
followTail=0
host_segment = 7
blacklist = .(gz)$
sourcetype = syslog

source=/var/log/syslog

Re: override source field to a common source using transform.conf and props.conf

p_gurav — Fri, 07 Dec 2018 06:27:12 GMT

Can you try props as below:

props.conf
[syslog]
TRANSFORMS-source = source
SHOULD_LINEMERGE = false

Re: override source field to a common source using transform.conf and props.conf

meet_vadaria — Fri, 07 Dec 2018 06:38:40 GMT

tried your suggestion, didn't work. no effect.

Re: override source field to a common source using transform.conf and props.conf

FrankVl — Fri, 07 Dec 2018 10:21:43 GMT

Your transforms.conf is missing the REGEX part. Even though you don't need it functionally, it is a mandatory setting for indextime transforms.

So just add REGEX = . and then I think it should work.

Re: override source field to a common source using transform.conf and props.conf

meet_vadaria — Fri, 07 Dec 2018 17:48:38 GMT

Just tried this. didn't work. Somehow it seems like splunk is ignoring transforms and props config files. no effect at all.

Re: override source field to a common source using transform.conf and props.conf

FrankVl — Fri, 07 Dec 2018 21:37:18 GMT

Did you try my suggestion combined with the other answer about using [syslog]?

Because using [sourceoverride] in your props.conf is incorrect. You need to put your actual sourcetype between de square brackets not some
random word.