What are the execution sequence of transforms from...

fxyfrank_acn · ‎02-07-2019

We want to change sourcetype and then send data to two different Splunk Indexers.

What is happening is the sourcetype is getting changed (that means first transform is working) BUT the seconds pros.conf stanza present in the apps folder is not working (It is only send the logs to default output group).

Transform 1: SPLUNK_HOME/etc/system/local/
props.conf

[source::/abc/xyz.log]
TRANSFORMS-changesourcetype = st

transforms.conf

[st]
REGEX = \.*\[12345]\.*
FORMAT = sourcetype::my_sourcetype
DEST_KEY = MetaData:Sourcetype

Transform 2: SPLUNK_HOME/etc/apps/application/local/
props.conf

[my_sourcetype]
TRANSFORMS-routing = route_data

transforms.conf

[route_data]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = indexer1, indexer2

anwarmian · ‎10-26-2020

Since this will be performed at index parsing stage file precedence will be in global context so /system/local will have higher precedence than application/local. So, in your case "my_sourcetype" will be created first then you can use "my_sourcetype" in application/local to redirect logs to different indexes.

harsmarvania57 · ‎02-08-2019

Have a look at my answer https://answers.splunk.com/answers/686241/metadata-transforms-not-being-applied-after-series-1.html , you will get an idea what is happening.

vishaltaneja070 · ‎02-07-2019

Hello @fxyfrank_acn
Can you please share the details present in outputs.conf as well.

vishaltaneja070 · ‎02-07-2019

You have to mention something like this in outputs.conf as well to make second transforms work:

[tcpout:indexer1]
disabled=false
server=xx.x.xx.x:9997

[tcpout:indexer2]
disabled=false
server=xx.x.xx.x:9997

fxyfrank_acn · ‎02-12-2019

the two indexers are specified in the outputs.conf as what you have mentioned however it still doesn't work.

I have tried to apply the Sourcetype change on the Indexer (indexing time), still no luck.

kamlesh_vaghela · ‎02-07-2019

@fxyfrank_acn

Please see How Splunk determines precedence order and other section for your answer.

https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Wheretofindtheconfigurationfiles

You can run btool to see all the configuration values in use by your Splunk instance.

http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurati...

Thanks

MuS · ‎02-07-2019

And there is the common misunderstanding:

btool does not show the actual config in use by Splunk, it merges all on disk config files and shows the potential configuration Splunk is using ....

Quote from the docs:

Btool displays merged on-disk configurations. That is, btool shows you the merged settings in the .conf files. It does not necessarily show you what Splunk software is currently using.

link to the docs https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurat...

If you want to see the actual config Splunk is using right now, run this command:

$SPLUNK_HOME/bin/splunk show config ....

links to the docs https://docs.splunk.com/Documentation/Splunk/latest/Admin/CLIadmincommands

It is a bit like in the old days with Cisco routers, there is a difference between running config and start-up config 😉

cheers, MuS

What are the execution sequence of transforms from different stanza located in the difference configuration files ?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!