https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390702#M94145 <P>Hi @siva_cg,</P> <P>Your configuration is not correct to set sourcetype, look at answer given by me on this question <A href="https://answers.splunk.com/answers/686241/metadata-transforms-not-being-applied-after-series-1.html#answer-687394">https://answers.splunk.com/answers/686241/metadata-transforms-not-being-applied-after-series-1.html#answer-687394</A></P> <P>Try to set transforms.conf like this</P> <PRE><CODE>[index1_host1] REGEX = host1 SOURCE_KEY = MetaData:Host DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::sourcetype1 [index1_host2] REGEX = host2 SOURCE_KEY = MetaData:Host DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::sourcetype2 [index1_host3] REGEX = host3 SOURCE_KEY = MetaData:Host DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::sourcetype3 </CODE></PRE> Wed, 26 Sep 2018 11:40:11 GMT harsmarvania57 2018-09-26T11:40:11Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390698#M94141 <P>Hi All,</P> <P>I have some switch logs which are configured to Splunk from 3 Universal Forwarders into one index. Based on host values, I renamed the source type by configuring props and transforms. I am able to see new source types in the index, but now the issue is when I search for that particular source type, it is not giving results.</P> <PRE><CODE>index = index1 ----giving results and able to see sourcetypes in the field values as expected index = index1 sourcetype = sourcetype1 ----- no results </CODE></PRE> <P>props.conf<BR /> [orig_sourcetype]<BR /> TRANSFORMS-rename = index1_host1,index1_host2,index1_host3</P> <P>transforms.conf<BR /> [index1_host1]<BR /> REGEX = host1<BR /> SOURCE_KEY = MetaData:Host<BR /> DEST_KEY = MetaData:Sourcetype<BR /> FORMAT = sourcetype1<BR /> WRITE_META = true</P> <P>[index1_host2]<BR /> REGEX = host2<BR /> SOURCE_KEY = MetaData:Host<BR /> DEST_KEY = MetaData:Sourcetype<BR /> FORMAT = sourcetype2<BR /> WRITE_META = true</P> <P>[index1_host3]<BR /> REGEX = host3<BR /> SOURCE_KEY = MetaData:Host<BR /> DEST_KEY = MetaData:Sourcetype<BR /> FORMAT = sourcetype3<BR /> WRITE_META = true</P> <P>Did I miss any configurations? Could any one please help? Thanks in advance.</P> Tue, 29 Sep 2020 21:22:09 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390698#M94141 siva_cg 2020-09-29T21:22:09Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390699#M94142 <P>Looks really clean @siva_cg, I wonder which log file tracks the <CODE>transforms.conf</CODE> work...</P> Mon, 24 Sep 2018 13:35:13 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390699#M94142 ddrillic 2018-09-24T13:35:13Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390700#M94143 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/198661">@siva_cg</a> try updating transforms.conf with WRITE_META = false and restart indexer(s) for new changes to take effect and see if it works.</P> Tue, 29 Sep 2020 21:22:19 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390700#M94143 Rob2520 2020-09-29T21:22:19Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390701#M94144 <P>I changed the WRITE_META value to false and restarted but still no luck @Rob2520. I am able to see the new sourcetype values in interested fields but not able to search for them.</P> Tue, 25 Sep 2018 08:31:09 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390701#M94144 siva_cg 2018-09-25T08:31:09Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390702#M94145 <P>Hi @siva_cg,</P> <P>Your configuration is not correct to set sourcetype, look at answer given by me on this question <A href="https://answers.splunk.com/answers/686241/metadata-transforms-not-being-applied-after-series-1.html#answer-687394">https://answers.splunk.com/answers/686241/metadata-transforms-not-being-applied-after-series-1.html#answer-687394</A></P> <P>Try to set transforms.conf like this</P> <PRE><CODE>[index1_host1] REGEX = host1 SOURCE_KEY = MetaData:Host DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::sourcetype1 [index1_host2] REGEX = host2 SOURCE_KEY = MetaData:Host DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::sourcetype2 [index1_host3] REGEX = host3 SOURCE_KEY = MetaData:Host DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::sourcetype3 </CODE></PRE> Wed, 26 Sep 2018 11:40:11 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390702#M94145 harsmarvania57 2018-09-26T11:40:11Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390703#M94146 <P>Thank you @harsmarvania57. It is working now.</P> Wed, 26 Sep 2018 12:39:00 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390703#M94146 siva_cg 2018-09-26T12:39:00Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390704#M94147 <P>Gorgeous - a bit counterintuitive <CODE>FORMAT = sourcetype::sourcetype1</CODE> as <CODE>DEST_KEY</CODE> already species the destination via <CODE>DEST_KEY = MetaData:Sourcetype</CODE>.</P> Wed, 26 Sep 2018 13:21:58 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-override-based-on-host-not-working/m-p/390704#M94147 ddrillic 2018-09-26T13:21:58Z