All Apps and Add-ons

InterMapper app sourcetype not intermapper

edonze
Path Finder

I've seemingly installed the InterMapper app according to the directions, yet the sourcetype is syslog_forwarded instead of InterMapper. Where would that be configured?

9/24/12
10:27:29.000 AM 
<134>Sep 24 10:27:29 InterMapper_hostname InterMapper timestamp="09/24 10:27:29" map_name="Virtual Machines" notification_level="ACK" device_host="hostname" device_ip="x.x.x.x" probe_type="Ping/Echo" probe_message=""
host=InterMapper_hostname   Options|  sourcetype=syslog_forwarded   Options|  source=tcp:9998   Options|  date_hour=10   Options|  date_mday=24   Options|  date_minute=27   Options|  date_month=september   Options|  date_second=29   Options|  date_wday=monday   Options|  date_year=2012   Options|  date_zone=local   Options|  eventtype=nix-all-logs   Options|  index=main   Options|  linecount=1   Options|  punct=<>__::_..__="/_::"_="_"_=""_="_-__"_="..."_="/"_="   Options|  splunk_server=splunk   Options|  timeendpos=21   Options|  timestartpos=5   Options
1 Solution

Drainy
Champion

Hey, to fix it for your setup navigate to $SPLUNK_HOME/etc/apps/InterMapper/local on the indexer where the app is installed.

Here you need to create two files with the following contents;

props.conf

[source::tcp:9998]
TRANSFORMS-intermapper = intermapperSourceType

transforms.conf

[intermapperSourceType]
DEST_KEY = MetaData:Sourcetype
REGEX = InterMapper timestamp=
FORMAT = sourcetype::InterMapper

This should start correctly parsing all incoming events sent from your forwarder to the sourcetype InterMapper. You will need to restart Splunk for these changes to take effect and if you make these new files in the local directory instead of changing the existing ones in the default directory then it will prevent any updates breaking your setup 🙂

EDIT: Just as a side-note, although I don't think you should have an issue with the description of your setup you may also need to do the following instead on the forwarder.

If you have all InterMapper syslog being written to one file which is then in its own monitor stanza in inputs.conf on the forwarder you can just add the line;

sourcetype=InterMapper

and this will send all events with the InterMapper sourcetype.

View solution in original post

Drainy
Champion

Hey, to fix it for your setup navigate to $SPLUNK_HOME/etc/apps/InterMapper/local on the indexer where the app is installed.

Here you need to create two files with the following contents;

props.conf

[source::tcp:9998]
TRANSFORMS-intermapper = intermapperSourceType

transforms.conf

[intermapperSourceType]
DEST_KEY = MetaData:Sourcetype
REGEX = InterMapper timestamp=
FORMAT = sourcetype::InterMapper

This should start correctly parsing all incoming events sent from your forwarder to the sourcetype InterMapper. You will need to restart Splunk for these changes to take effect and if you make these new files in the local directory instead of changing the existing ones in the default directory then it will prevent any updates breaking your setup 🙂

EDIT: Just as a side-note, although I don't think you should have an issue with the description of your setup you may also need to do the following instead on the forwarder.

If you have all InterMapper syslog being written to one file which is then in its own monitor stanza in inputs.conf on the forwarder you can just add the line;

sourcetype=InterMapper

and this will send all events with the InterMapper sourcetype.

Drainy
Champion

Yes, I did warn you of this in my answer 🙂 Anything that changes index time parsing requires a start of splunkd, anything you change in props/transforms that affects search time extractions only requires a search to be re-run

0 Karma

edonze
Path Finder

I had to restart splunk for this to take effect.

0 Karma

InterMapper
Explorer

Below is the message expected message format. Is is possible that there was an existing "Source name override" in Splunk or that you are using a forwarder on your network?

Expected Format:

Sep 24 13:57:43 74.63.221.42 Sep 23 06:47:44 demo3.intermapper.com InterMapper timestamp="09/23 06:47:44" map_name="Splunk Demo" notification_level="Warning" device_host="localhost." device_ip="127.0.0.1" probe_type="SNMP - Host Resources (port 161 SNMPv1)" probe_message="Load (86%) on processor at index 768 exceeds 80%.  Usage (87%) of memory "Physical memory" exceeds 75%."host=74.63.221.42   Options|  
sourcetype=InterMapper   Options|  
source=udp:514   Options
0 Karma

InterMapper
Explorer

I was wrong about changing the UDP port on which InterMapper sends its syslog notification, it is not configurable. I do not have a solution yet. I'm setting up a forwarder to see if I can get it to forward correctly with original sourcetype.

0 Karma

edonze
Path Finder

I am using UDP 514 for multiple other inputs. How would I configure the syslog notifier in InterMapper to send on a different port?

0 Karma

InterMapper
Explorer

I do not have personal experience with this, but I did find this on Splunkbase:

Important: If you are forwarding data, and you want to assign a source type for a source, you must do this in props.conf on the forwarder. If you do it in props.conf on the receiver, the override will not take effect.

To override source type assignment, add a stanza for your source to props.conf. In the stanza, identify the source path, using regex syntax for flexibility if necessary. Then specify the source type by including a sourcetype attribute

from:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Bypassautomaticsourcetypeassignment

So I think for the deafult InterMapper install (UDP, port 514) , adding the following to the forwarder props.conf would work. If you are using 514 for other logs, you could set InterMapper to a different UDP port and match the change in the props.conf

[source::udp:514]
sourcetype=InterMapper

Let me know if that helps and I will update our documentation and testing scenarios.
Thanks for your interest.

Gurdev

0 Karma

edonze
Path Finder

I am using forwarders.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...