https://community.splunk.com/t5/Getting-Data-In/Changing-the-sourcetype-to-remove-spaces/m-p/484660#M82991 <P>I'm working on a TA to process Venafi messages brought in via RestAPI. When I was testing I used hostname in the props.conf file to call the transform to change the sourcetype. I can't do that in production because the production Windows servers send logs via the UF. I tried this yesterday in test.</P> <P>props.conf<BR /> [source::Venafi\sTrust\sProtection\sPlatform]<BR /> TZ = US/Pacific<BR /> TRANSFORMS-venafi = venafi_sourcetype_rename</P> <P>transforms.conf<BR /> [venafi_sourcetype_rename]<BR /> DEST_KEY = MetaData:Sourcetype<BR /> FORMAT = sourcetype::venafi_tpp<BR /> REGEX = (.)</P> <P>According to the Splunk documentation it is a source-matching pattern</P> <OL> <LI>source::, where is the source, or source-matching pattern, for an event.</LI> </OL> <P>This is what I have to work with</P> <P>source = Venafi Trust Protection Platform<BR /> sourcetype = Venafi TPP Log Event</P> <P>Any ideas on how I can use source to reset sourcetype?</P> <P>TIA,<BR /> Joe</P> Wed, 30 Sep 2020 03:41:16 GMT jwhughes58 2020-09-30T03:41:16Z https://community.splunk.com/t5/Getting-Data-In/Changing-the-sourcetype-to-remove-spaces/m-p/484660#M82991 <P>I'm working on a TA to process Venafi messages brought in via RestAPI. When I was testing I used hostname in the props.conf file to call the transform to change the sourcetype. I can't do that in production because the production Windows servers send logs via the UF. I tried this yesterday in test.</P> <P>props.conf<BR /> [source::Venafi\sTrust\sProtection\sPlatform]<BR /> TZ = US/Pacific<BR /> TRANSFORMS-venafi = venafi_sourcetype_rename</P> <P>transforms.conf<BR /> [venafi_sourcetype_rename]<BR /> DEST_KEY = MetaData:Sourcetype<BR /> FORMAT = sourcetype::venafi_tpp<BR /> REGEX = (.)</P> <P>According to the Splunk documentation it is a source-matching pattern</P> <OL> <LI>source::, where is the source, or source-matching pattern, for an event.</LI> </OL> <P>This is what I have to work with</P> <P>source = Venafi Trust Protection Platform<BR /> sourcetype = Venafi TPP Log Event</P> <P>Any ideas on how I can use source to reset sourcetype?</P> <P>TIA,<BR /> Joe</P> Wed, 30 Sep 2020 03:41:16 GMT https://community.splunk.com/t5/Getting-Data-In/Changing-the-sourcetype-to-remove-spaces/m-p/484660#M82991 jwhughes58 2020-09-30T03:41:16Z https://community.splunk.com/t5/Getting-Data-In/Changing-the-sourcetype-to-remove-spaces/m-p/484661#M82992 <P>have you tried just putting the spaces in the source:: stanza? Not sure if you need regex there or why splunk wouldn't be able to handle spaces...but i've never tried.</P> <P>Also, how is the data getting sent into Splunk...and is there a reason the sourcetype can't just be set there? I'm a little confused on the Rest API and the Windows UF part of the scenario...but likely it could be set at input time?</P> Sat, 18 Jan 2020 14:34:36 GMT https://community.splunk.com/t5/Getting-Data-In/Changing-the-sourcetype-to-remove-spaces/m-p/484661#M82992 maciep 2020-01-18T14:34:36Z https://community.splunk.com/t5/Getting-Data-In/Changing-the-sourcetype-to-remove-spaces/m-p/484662#M82993 <P>Whatever you were doing in pre-prod should work fine in production, you just need to deploy it to your Indexer (or HF) tier.</P> Sat, 18 Jan 2020 19:20:31 GMT https://community.splunk.com/t5/Getting-Data-In/Changing-the-sourcetype-to-remove-spaces/m-p/484662#M82993 woodcock 2020-01-18T19:20:31Z https://community.splunk.com/t5/Getting-Data-In/Changing-the-sourcetype-to-remove-spaces/m-p/484663#M82994 <P>The data is ingested by Splunk via the RestAPI. Unfortunately the application sets the sourcetype before sending the messages and the sourcetype can't be changed in the application UI.</P> Mon, 20 Jan 2020 18:40:31 GMT https://community.splunk.com/t5/Getting-Data-In/Changing-the-sourcetype-to-remove-spaces/m-p/484663#M82994 jwhughes58 2020-01-20T18:40:31Z https://community.splunk.com/t5/Getting-Data-In/Changing-the-sourcetype-to-remove-spaces/m-p/484664#M82995 <P>What I wound up doing was using source=Venafi* since Venafi only has the one feed.</P> Mon, 20 Jan 2020 18:41:15 GMT https://community.splunk.com/t5/Getting-Data-In/Changing-the-sourcetype-to-remove-spaces/m-p/484664#M82995 jwhughes58 2020-01-20T18:41:15Z