help using transforms to change sourcetype from ne...

danielwalford · ‎04-08-2021

hi, i've been trying for a long time now to get netscaler ipfix/netflow data properly ingested into a Nozo9110test splunk instance.

I have the stream app and forwarder etc looking like they are working. all the data comes in as sourcetype stream:netflow. however i need this to be sourcetype citrix:netscaler:ipfix. so i have added props and transforms to achieve that based on the ip address the data is coming from. now this has worked and the sourcetype has changed as you can see:

however, i expected the data to then be processed and the fields extracted from the netscalersyslogmessage field. in the netscaler TA there are entries to transform sourcetype on the detection of netscalerSyslogMessage but none of that seems to be happening.

i'm sure i'm just missing something obvious but i'd really appreciate some help nailing this down.

here's what i've done to change the sourcetype:

props:

[source::stream:netflow]
TRANSFORMS-changesourcetype = set_netscaler

transforms:

[set_netscaler]
FORMAT = sourcetype::citrix:netscaler:ipfix
DEST_KEY = MetaData:Sourcetype
REGEX= exporter_ip":"172.31.113.8

help using transforms to change sourcetype from netflow

configuration

troubleshooting

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation