All Apps and Add-ons

Change source type

vistasyslog
New Member

** I am trying get the three IP addresses to use a new sourcetye when they send in data.

Props.conf reads :

[source::udp:514]
TRANSFORMS-riverbed_src = riverbed_steelhead
TRANSFORMS-changesourcetype = sourcetype_cisco_asa

transforms.conf reads :

[riverbed_steelhead]
REGEX = (10.12.0.20:10.0.0.33:10.10.20.185)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead

[sourcetype_cisco_asa]
REGEX = (10.12.254.1:10.10.20.254:10.1.250.254)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::cisco_asa

I get the Error :

Possible typo in stanza [riverbed_steelhead] in transforms.conf. Line 4
Possible typo in stanza [sourcetype_cisco_asa] in transforms.conf. Line 10

Can someone help me find my problem please.

FYI : I also tried the format :

REGEX = (10.12.0.20|10.0.0.33|10.10.20.185)**
0 Karma

tgow
Splunk Employee
Splunk Employee

I am wondering if the error is because you are using the incorrect syntax for the regex. If you want more than one ip address to matches with the REGEX then you need to separate them with a pipe symbol and not a colon. Here is an example of what I would try:

[riverbed_steelhead]
REGEX = (10.12.0.20|10.0.0.33|10.10.20.185)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead
0 Karma

vistasyslog
New Member

I tried it and still got the same error.

0 Karma

emiller42
Motivator

see my comment above for the explanation to your error. You can't have two TRANSFORMS lines in a single props.conf stanza.

0 Karma

vistasyslog
New Member

Thanks for the reply.
I am getting the logs sent to the new source type.
I still get that error though.
Can I have the logs to go to just the new sourcetype and not to syslogs at all ?

Thanks

0 Karma

vistasyslog
New Member

I am new to this.
First time I am setting up Splunk. I am no where close to being a REGEX Guru.
The error that I get is :

I get the Error :

Possible typo in stanza [riverbed_steelhead] in transforms.conf. Line 4

Thanks

0 Karma

DaveSavage
Builder

..and what error was it throwing at you? Can you paste it pls?

0 Karma

DaveSavage
Builder

Well your original statement posting did indeed indicate that as the way you were going vistasyslog in the trasforms and props?!
If you are talking about the indexer, yes that is what it is now expecting. If you are talking forwarder then yes, that's where it will be sending...
As Ayn said - are you new to this? No probs if so, just say - then peeps won't assume you are a guru on regex (for example)...they just want to help. Full problem statements get better results, trust me - we all need it.

0 Karma

emiller42
Motivator

The reason for the typo is you have two TRANSFORMS configurations when you should only have one. Instead of the two lines you have there, use:

TRANSFORMS-changesourcetype = riverbed_steelhead, sourcetype_cisco_asa

If you need to add more transforms.conf stanzas to this source, you just append them to the line, comma separated.

0 Karma

vistasyslog
New Member

One thing I dont understand is, when I restart Splunk, why do I get the typo error ?
Is the above change going to make the IP addresses stop using syslog sourcetype and use just the riverbed_steelhead sourcetype ?

0 Karma

Ayn
Legend

If you want Splunk to read from the host field rather than the _raw field, then you must tell it to do so, yes.

SOURCE_KEY = MetaData:Host
REGEX = (10\.12\.0\.20|10\.0\.0\.33|10\.10\.20\.185)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead
0 Karma

vistasyslog
New Member

I am figuring it out.
I thought the backslash before every dot on the IP address was the right way to do it.
I am getting typos for the first line though.
Should I specify a source key ?
All I need is a way to have 10.10.20.185 use the sourcetype as riverbed_steelhead instead of syslog.

0 Karma

DaveSavage
Builder

Thanks mate, appreciated.

0 Karma

Ayn
Legend

Your regexes look weird, vistasyslog. Do you know how to write regexes, or figuring out as you go along? Because : is definitely not interpreted as an OR operator in regular expressions. | is, though.

Also you're not specifying a SOURCE_KEY, which means Splunk will match against the raw event data. Is this what you want, or do you want to read from the host field?

0 Karma

Ayn
Legend

Either indent code blocks with four spaces at the start of each line (this line needs to have empty lines before and after), or use backticks. This should make code show properly.

DaveSavage
Builder

May I just check - you have tried "10\.12\.0\.20""etc..."

0 Karma

DaveSavage
Builder

Understood - I know the issue re slashes (forward or backwards) being a representation issue...it's something to do with the formatting of responses and can be overcome. I'm not sure how as yet, but others have kindly corrected my stuff and I need to learn too! 😉

0 Karma

vistasyslog
New Member

there is a backslash before each ".", which for some reason is not showing up when I type it here.

0 Karma

vistasyslog
New Member

I also tried : [10.12.0.20|10.0.0.33) and that did not work either.
I dont understand the typo in the first line.

0 Karma

DaveSavage
Builder

Don't you need to escape the dots vistasyslog? Point / dot is a metacharacter in regular expressions. Usually fixed ones are in quotes? I'll try sort the regex out unless somebody does it first...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...