topic Re: Sourcetype Override is not working in Getting Data In

Sourcetype Override is not working

ekenne06 — Wed, 27 Jan 2021 21:40:43 GMT

the problem i'm currently having:

Software team has logs being written to a file of mixed format and structure. I'm trying to use dynamic sourcetypes so that I can place these into sourcetypes and then do the proper field extractions. I have followed this article: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Bypassautomaticsourcetypeassignment

But it doesn't seem to be working. here is my current config:

props.conf:

[source::C/Windows/SysWOW64/SIXPAC/SIXPAC/*.log]

TRANSFORMS=SIXPAC = sixpac_service

transforms.conf

[sixpac_service]

SOURCE_KEY = MetaData: source

REGEX = SIXPACService\.(.+)\.(.+)\s

FORMAT = sourcetype::SIXPACService.$1.$2

DEST_KEY = MetaData:Sourcetype

Anyone have some ideas as to why this isn't working?

Re: Sourcetype Override is not working

gcusello — Wed, 27 Jan 2021 22:21:08 GMT

Hi @ekenne06,

three questions:

where have you localized your props.conf and transforms.conf? they must be on Indexers or (when present) on Heavy Forwarders;
did you restarted Splunk on Indexer (or HF) after you modified props.conf and transforms.conf?
did you tested your regex? are you sure that it matches the events to override?

Ciao.

Giuseppe

Re: Sourcetype Override is not working

ekenne06 — Wed, 27 Jan 2021 22:41:16 GMT

I have the props.conf and transforms.conf in an app that sits in the master_apps directory on my cluster master. I then distribute to my peers whenever I make a change. Usually if this needs a reboot, the rolling restart will take care of that right?

Re: Sourcetype Override is not working

gcusello — Thu, 28 Jan 2021 07:54:43 GMT

Hi @ekenne06,

ok,

this means that they are on Indexers and they are rebooted after changes.

Are you sure that the events don't pass through an Heavy Forwarder?

And about the regex?

Ciao.

Giuseppe

Re: Sourcetype Override is not working

ekenne06 — Thu, 28 Jan 2021 15:29:56 GMT

i'm not totally sure of the cause, but I was able to get write access to the host (which was sending data via a UF) I set a sourcetype there, and changed my props to reference that sourcetype instead of the source:: I was using before and everything is working now.

my assumption for why it wan't working before:

it was a windows host and the source wasn't being recognized properly in the props.conf

splunk was setting a sourcetype/source via learned/local config files and those couldn't be overwritten for some reason