Changing sourcetype name

jwhughes58 — Wed, 31 Mar 2021 16:03:54 GMT

I've got an app that I've developed running on a HF that has the following inputs.conf

monitor:///apps/snmp-traps/traps-received.log] disabled = false host = hostname index = my_index sourcetype = SNMP:raw

Then the props.conf

[SNMP:raw] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = true TRANSFORMS-snmp_sourcetype = aruba_config_alert, aruba_down_ap, aruba_down_radio, aruba_radio_utilization, aruba_rogue_ap_detected_detail, aruba_rogue_ap_discovered, aruba_up_ap, snmp_aruba_amp, snmp_cisco_prime, snmp_cisco_asa, snmp_solarwinds, snmp_pan, snmp_generic_traps

Then the transforms.conf

# # Set sourcetype based on trap # # # Aruba AMP Trap 12 # [aruba_rogue_ap_discovered] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::rogueAPDetected FORMAT = sourcetype::aruba:rogue_ap_discovered # # Aruba AMP Trap 13 # [aruba_down_ap] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::downAP FORMAT = sourcetype::aruba:down_ap # # Aruba AMP Trap 15 # [aruba_up_ap] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::upAP FORMAT = sourcetype::aruba:up_ap # # Aruba AMP Trap 16 # [aruba_down_radio] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::downRadio FORMAT = sourcetype::aruba:down_radio # # Aruba AMP Trap 30 # [aruba_radio_utilization] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::radioUtilization FORMAT = sourcetype::aruba:radio_utilization # # Aruba AMP Trap 32 # [aruba_rogue_ap_detected_detail] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::rogueAPDetectedDetail FORMAT = sourcetype::aruba:rogue_ap_detected_detail # # Aruba AMP Trap 59 # [aruba_up_radio] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::upRadio FORMAT = sourcetype::aruba:up_radio # # Aruba AMP Trap 200 # [aruba_config_alert] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::configAlert FORMAT = sourcetype::aruba:config_alert #### sourcetype routing [snmp_aruba_amp] DEST_KEY = MetaData:Sourcetype REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: AWAMP-MIB FORMAT = sourcetype::aruba:snmp [snmp_cisco_prime] DEST_KEY = MetaData:Sourcetype REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: CISCO-WIRELESS-NOTIFICATION-MIB FORMAT = sourcetype::cisco:prime [snmp_cisco_asa] DEST_KEY = MetaData:Sourcetype REGEX = .*SNMPv2-SMI\:\:enterprises\.3076.* FORMAT = sourcetype::cisco:asa:snmp [snmp_pan] DEST_KEY = MetaData:Sourcetype REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: PAN-TRAPS FORMAT = sourcetype::pan:snmp [snmp_solarwinds] DEST_KEY = MetaData:Sourcetype REGEX = SNMPv2-MIB\:\:snmpTrapEnterprise.0 = OID\: SOLARWINDS-PRODUCTS FORMAT = sourcetype::solarwinds:snmp [snmp_generic_traps] DEST_KEY = MetaData:Sourcetype REGEX = .*IF-MIB.* FORMAT = sourcetype::snmp:generic_traps

The data is getting in and the props is calling the transforms correctly, but instead of seeing aruba:rogue_ap_discovered when a Rogue AP Discovered trap is in the log, instead I see aruba:snmp. I thought I understood this when this was for PAN only it appeared that the transforms get processed in order. Is there something I'm missing?

Splunk 7.3.6

TIA,

Joe

Re: Changing sourcetype name

scelikok — Wed, 31 Mar 2021 19:21:11 GMT

Hi @jwhughes58,

Splunk applies transforms in the list order. Since both rogue_ap_discovered and snmp_aruba_amp are matching, the last one wins. You should either make REGEX definitions more specific or change the order.

Re: Changing sourcetype name

jwhughes58 — Wed, 31 Mar 2021 19:27:51 GMT

Hi,

I've read that and thought I had an understanding of list order. So it is the last one that wins and not the first one?

Joe

Re: Changing sourcetype name

scelikok — Wed, 31 Mar 2021 19:48:13 GMT

Hi @jwhughes58,

Yes, the last one wins.

topic Re: Changing sourcetype name in Getting Data In

Changing sourcetype name

Re: Changing sourcetype name

Re: Changing sourcetype name

Re: Changing sourcetype name