- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Add-on for Infoblox: Why are sourcetype tra...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We recently moved from a single indexer/search head to a distributed environment. I have a couple of apps/TA's that have sourcetype transforms, one being Splunk Add-on for Infoblox. This TA stopped working after our upgrade. I verified that the props and transforms configs are on the Cluster Master and have been pushed to our two indexers. They are also on the search head. The documentation indicates that the TA supports a distributed environment.
Does anyone have any suggestions on how to troubleshoot this issue? I know the config is good since it was working before. The logs are being ingested from a server with a Universal Forwarder on it, which sets the sourcetype to infoblox:file.
Excerpt from transforms.conf
[infoblox_branch_source_type_1]
DEST_KEY = MetaData:Sourcetype
REGEX = \sdhcpd\[
FORMAT = sourcetype::infoblox:dhcp
[infoblox_branch_source_type_2]
DEST_KEY = MetaData:Sourcetype
REGEX = \snamed\[
FORMAT = sourcetype::infoblox:dns
Excerpt from props.conf
[infoblox:port]
TRANSFORMS-0_branch_source_type = infoblox_branch_source_type_1, infoblox_branch_source_type_2
SHOULD_LINEMERGE = false
DATETIME_CONFIG = NONE
TRUNCATE = 0
[infoblox:file]
TRANSFORMS-0_branch_source_type = infoblox_branch_source_type_1, infoblox_branch_source_type_2
MAX_TIMESTAMP_LOOKAHEAD = 20
SHOULD_LINEMERGE = false
TRUNCATE = 0
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You didn't mention what the data is now being source typed as now. Still infoblox:file?
btool is your friend. I suggest that you open a terminal session to one of the indexers and run the command:
splunk btool props list --debug > /tmp/props.txt
and
splunk btool transforms list --debug > /tmp/transforms.tx
First examine the props.txt and look for the [infoblox:file] stanza. Make sure that it has the TRANSFORMS-0 setting.
Next examine the transforms.txt file and make sure that it has the actual transforms listed from the props.conf settings.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,bsanch2
I would like to ask you how to use infoblox add-on this plugin. And get infoblox after syslog done using scenes or dashboards?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You didn't mention what the data is now being source typed as now. Still infoblox:file?
btool is your friend. I suggest that you open a terminal session to one of the indexers and run the command:
splunk btool props list --debug > /tmp/props.txt
and
splunk btool transforms list --debug > /tmp/transforms.tx
First examine the props.txt and look for the [infoblox:file] stanza. Make sure that it has the TRANSFORMS-0 setting.
Next examine the transforms.txt file and make sure that it has the actual transforms listed from the props.conf settings.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the advice, I wasn't familiar with btool, it's exactly what I needed. I found that the props and transforms for the app weren't being used, which led me to read up on how apps should be deployed in a distributed environment. Our admin placed the apps under the wrong directory on the Master Cluster server. Once I moved them to the correct location, and re-deployed them my sourcetypes began working!
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
