<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Creating new soucertype using Props.conf and transform.conf in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Creating-new-soucertype-using-Props-conf-and-transform-conf/m-p/294538#M93556</link>
    <description>&lt;P&gt;hey &lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/77815"&gt;@raomu&lt;/a&gt;&lt;BR /&gt;
sourcetype override occurs at parse-time, it works only on an indexer or heavy forwarder, not on a universal forwarder which means before indexing&lt;BR /&gt;
This is written in &lt;BR /&gt;
&lt;A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;you can have look at props.conf Splunk_TA_paloalto&lt;BR /&gt;
&lt;A href="https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/blob/master/default/props.conf" target="_blank"&gt;https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/blob/master/default/props.conf&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;Refer this link to create new sourcetype&lt;BR /&gt;
&lt;A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides&lt;/A&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[pan:log]
REGEX = &amp;lt;your_regex&amp;gt;
FORMAT = sourcetype::&amp;lt;new_sourcetype&amp;gt;
DEST_KEY = MetaData:Sourcetype
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Also look at &lt;BR /&gt;
&lt;A href="https://answers.splunk.com/answers/210347/how-to-get-palo-alto-app-transforms-working.html" target="_blank"&gt;https://answers.splunk.com/answers/210347/how-to-get-palo-alto-app-transforms-working.html&lt;/A&gt;&lt;BR /&gt;
I hope this helps!&lt;/P&gt;</description>
    <pubDate>Tue, 29 Sep 2020 17:32:42 GMT</pubDate>
    <dc:creator>mayurr98</dc:creator>
    <dc:date>2020-09-29T17:32:42Z</dc:date>
    <item>
      <title>Creating new soucertype using Props.conf and transform.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Creating-new-soucertype-using-Props-conf-and-transform-conf/m-p/294537#M93555</link>
      <description>&lt;P&gt;All my network data comes to default source type irrespective of type of devices.&lt;/P&gt;

&lt;P&gt;index = network &lt;BR /&gt;
sourcetype = network &lt;/P&gt;

&lt;P&gt;I have define props.conf and transforms.conf to separate the firewall ( Palo Alto logs ) comes to different soucertype pan:log &lt;/P&gt;

&lt;P&gt;The new soucertype "pan:log" will take place before indexing or ?&lt;/P&gt;

&lt;P&gt;Trasnforms.conf &lt;/P&gt;

&lt;P&gt;[PaloAlto_sourcetype_setting]&lt;BR /&gt;
REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+(\w\w-\w+-panorama)&lt;BR /&gt;
FORMAT = sourcetype::pan:log&lt;BR /&gt;
DEST_KEY = MetaData:Sourcetype&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 17:32:40 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Creating-new-soucertype-using-Props-conf-and-transform-conf/m-p/294537#M93555</guid>
      <dc:creator>raomu</dc:creator>
      <dc:date>2020-09-29T17:32:40Z</dc:date>
    </item>
    <item>
      <title>Re: Creating new soucertype using Props.conf and transform.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Creating-new-soucertype-using-Props-conf-and-transform-conf/m-p/294538#M93556</link>
      <description>&lt;P&gt;hey &lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/77815"&gt;@raomu&lt;/a&gt;&lt;BR /&gt;
sourcetype override occurs at parse-time, it works only on an indexer or heavy forwarder, not on a universal forwarder which means before indexing&lt;BR /&gt;
This is written in &lt;BR /&gt;
&lt;A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;you can have look at props.conf Splunk_TA_paloalto&lt;BR /&gt;
&lt;A href="https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/blob/master/default/props.conf" target="_blank"&gt;https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/blob/master/default/props.conf&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;Refer this link to create new sourcetype&lt;BR /&gt;
&lt;A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides&lt;/A&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[pan:log]
REGEX = &amp;lt;your_regex&amp;gt;
FORMAT = sourcetype::&amp;lt;new_sourcetype&amp;gt;
DEST_KEY = MetaData:Sourcetype
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Also look at &lt;BR /&gt;
&lt;A href="https://answers.splunk.com/answers/210347/how-to-get-palo-alto-app-transforms-working.html" target="_blank"&gt;https://answers.splunk.com/answers/210347/how-to-get-palo-alto-app-transforms-working.html&lt;/A&gt;&lt;BR /&gt;
I hope this helps!&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 17:32:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Creating-new-soucertype-using-Props-conf-and-transform-conf/m-p/294538#M93556</guid>
      <dc:creator>mayurr98</dc:creator>
      <dc:date>2020-09-29T17:32:42Z</dc:date>
    </item>
    <item>
      <title>Re: Creating new soucertype using Props.conf and transform.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Creating-new-soucertype-using-Props-conf-and-transform-conf/m-p/294539#M93557</link>
      <description>&lt;P&gt;Thanks for your response. &lt;/P&gt;

&lt;P&gt;I have all the Palo Alto settings you shared. My question is if i am going to force these settings in transforms.conf will this take place before indexing ? or after indexing ? &lt;/P&gt;

&lt;P&gt;As you see my Inputs.conf I am giving the soucertype "network" so it will index all the data to "network" soucertype first and then we using the transforms.conf to filter logs for Palo Alto and putting them in another soucetype. question here is the change of soucertype will happen during search time to Index time ?&lt;/P&gt;</description>
      <pubDate>Thu, 11 Jan 2018 06:40:24 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Creating-new-soucertype-using-Props-conf-and-transform-conf/m-p/294539#M93557</guid>
      <dc:creator>raomu</dc:creator>
      <dc:date>2018-01-11T06:40:24Z</dc:date>
    </item>
    <item>
      <title>Re: Creating new soucertype using Props.conf and transform.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Creating-new-soucertype-using-Props-conf-and-transform-conf/m-p/294540#M93558</link>
      <description>&lt;P&gt;hey i have edited my answer&lt;BR /&gt;
so basically whatever you write in &lt;CODE&gt;transforms.conf&lt;/CODE&gt; happens in parsing phase i.e. before indexing&lt;BR /&gt;
see data pipeline flow&lt;BR /&gt;
&lt;A href="http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Configurationparametersandthedatapipeline"&gt;http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Configurationparametersandthedatapipeline&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;I hope this solves your query!&lt;/P&gt;</description>
      <pubDate>Thu, 11 Jan 2018 06:44:29 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Creating-new-soucertype-using-Props-conf-and-transform-conf/m-p/294540#M93558</guid>
      <dc:creator>mayurr98</dc:creator>
      <dc:date>2018-01-11T06:44:29Z</dc:date>
    </item>
    <item>
      <title>Re: Creating new soucertype using Props.conf and transform.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Creating-new-soucertype-using-Props-conf-and-transform-conf/m-p/294541#M93559</link>
      <description>&lt;P&gt;I see you are referencing the Palo Alto TA sourcetype, which does additional sourcetype rewriting when events come in.  I strongly advise you to have your events first come in as the necessary &lt;CODE&gt;pan:log&lt;/CODE&gt;, instead of rewriting them to &lt;CODE&gt;pan:log&lt;/CODE&gt; after they arrive.&lt;/P&gt;

&lt;P&gt;Please reference this &lt;A href="https://answers.splunk.com/answers/595749/palo-alto-apps-not-showing-any-data.html"&gt;ongoing answers post&lt;/A&gt; about this topic.&lt;/P&gt;</description>
      <pubDate>Thu, 11 Jan 2018 15:31:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Creating-new-soucertype-using-Props-conf-and-transform-conf/m-p/294541#M93559</guid>
      <dc:creator>micahkemp</dc:creator>
      <dc:date>2018-01-11T15:31:01Z</dc:date>
    </item>
  </channel>
</rss>

