I've seemingly installed the InterMapper app according to the directions, yet the sourcetype is syslog_forwarded instead of InterMapper. Where would that be configured?
9/24/12
10:27:29.000 AM
<134>Sep 24 10:27:29 InterMapper_hostname InterMapper timestamp="09/24 10:27:29" map_name="Virtual Machines" notification_level="ACK" device_host="hostname" device_ip="x.x.x.x" probe_type="Ping/Echo" probe_message=""
host=InterMapper_hostname Options| sourcetype=syslog_forwarded Options| source=tcp:9998 Options| date_hour=10 Options| date_mday=24 Options| date_minute=27 Options| date_month=september Options| date_second=29 Options| date_wday=monday Options| date_year=2012 Options| date_zone=local Options| eventtype=nix-all-logs Options| index=main Options| linecount=1 Options| punct=<>__::_..__="/_::"_="_"_=""_="_-__"_="..."_="/"_=" Options| splunk_server=splunk Options| timeendpos=21 Options| timestartpos=5 Options
Hey, to fix it for your setup navigate to $SPLUNK_HOME/etc/apps/InterMapper/local
on the indexer where the app is installed.
Here you need to create two files with the following contents;
props.conf
[source::tcp:9998]
TRANSFORMS-intermapper = intermapperSourceType
transforms.conf
[intermapperSourceType]
DEST_KEY = MetaData:Sourcetype
REGEX = InterMapper timestamp=
FORMAT = sourcetype::InterMapper
This should start correctly parsing all incoming events sent from your forwarder to the sourcetype InterMapper. You will need to restart Splunk for these changes to take effect and if you make these new files in the local directory instead of changing the existing ones in the default directory then it will prevent any updates breaking your setup 🙂
EDIT: Just as a side-note, although I don't think you should have an issue with the description of your setup you may also need to do the following instead on the forwarder.
If you have all InterMapper syslog being written to one file which is then in its own monitor stanza in inputs.conf on the forwarder you can just add the line;
sourcetype=InterMapper
and this will send all events with the InterMapper sourcetype.
Hey, to fix it for your setup navigate to $SPLUNK_HOME/etc/apps/InterMapper/local
on the indexer where the app is installed.
Here you need to create two files with the following contents;
props.conf
[source::tcp:9998]
TRANSFORMS-intermapper = intermapperSourceType
transforms.conf
[intermapperSourceType]
DEST_KEY = MetaData:Sourcetype
REGEX = InterMapper timestamp=
FORMAT = sourcetype::InterMapper
This should start correctly parsing all incoming events sent from your forwarder to the sourcetype InterMapper. You will need to restart Splunk for these changes to take effect and if you make these new files in the local directory instead of changing the existing ones in the default directory then it will prevent any updates breaking your setup 🙂
EDIT: Just as a side-note, although I don't think you should have an issue with the description of your setup you may also need to do the following instead on the forwarder.
If you have all InterMapper syslog being written to one file which is then in its own monitor stanza in inputs.conf on the forwarder you can just add the line;
sourcetype=InterMapper
and this will send all events with the InterMapper sourcetype.
Yes, I did warn you of this in my answer 🙂 Anything that changes index time parsing requires a start of splunkd, anything you change in props/transforms that affects search time extractions only requires a search to be re-run
I had to restart splunk for this to take effect.
Below is the message expected message format. Is is possible that there was an existing "Source name override" in Splunk or that you are using a forwarder on your network?
Expected Format:
Sep 24 13:57:43 74.63.221.42 Sep 23 06:47:44 demo3.intermapper.com InterMapper timestamp="09/23 06:47:44" map_name="Splunk Demo" notification_level="Warning" device_host="localhost." device_ip="127.0.0.1" probe_type="SNMP - Host Resources (port 161 SNMPv1)" probe_message="Load (86%) on processor at index 768 exceeds 80%. Usage (87%) of memory "Physical memory" exceeds 75%."host=74.63.221.42 Options|
sourcetype=InterMapper Options|
source=udp:514 Options
I was wrong about changing the UDP port on which InterMapper sends its syslog notification, it is not configurable. I do not have a solution yet. I'm setting up a forwarder to see if I can get it to forward correctly with original sourcetype.
I am using UDP 514 for multiple other inputs. How would I configure the syslog notifier in InterMapper to send on a different port?
I do not have personal experience with this, but I did find this on Splunkbase:
Important: If you are forwarding data, and you want to assign a source type for a source, you must do this in props.conf on the forwarder. If you do it in props.conf on the receiver, the override will not take effect.
To override source type assignment, add a stanza for your source to props.conf. In the stanza, identify the source path, using regex syntax for flexibility if necessary. Then specify the source type by including a sourcetype attribute
from:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Bypassautomaticsourcetypeassignment
So I think for the deafult InterMapper install (UDP, port 514) , adding the following to the forwarder props.conf would work. If you are using 514 for other logs, you could set InterMapper to a different UDP port and match the change in the props.conf
[source::udp:514]
sourcetype=InterMapper
Let me know if that helps and I will update our documentation and testing scenarios.
Thanks for your interest.
Gurdev
I am using forwarders.