Archive
Highlighted

Why is source type override based on host not working?

Explorer

Hi All,

I have some switch logs which are configured to Splunk from 3 Universal Forwarders into one index. Based on host values, I renamed the source type by configuring props and transforms. I am able to see new source types in the index, but now the issue is when I search for that particular source type, it is not giving results.

index = index1 ----giving results and able to see sourcetypes in the field values as expected
index = index1 sourcetype = sourcetype1 ----- no results

props.conf
[origsourcetype]
TRANSFORMS-rename = index1
host1,index1host2,index1host3

transforms.conf
[index1host1]
REGEX = host1
SOURCE
KEY = MetaData:Host
DESTKEY = MetaData:Sourcetype
FORMAT = sourcetype1
WRITE
META = true

[index1host2]
REGEX = host2
SOURCE
KEY = MetaData:Host
DESTKEY = MetaData:Sourcetype
FORMAT = sourcetype2
WRITE
META = true

[index1host3]
REGEX = host3
SOURCE
KEY = MetaData:Host
DESTKEY = MetaData:Sourcetype
FORMAT = sourcetype3
WRITE
META = true

Did I miss any configurations? Could any one please help? Thanks in advance.

0 Karma
Highlighted

Re: Why is source type override based on host not working?

Ultra Champion

Looks really clean @siva_cg, I wonder which log file tracks the transforms.conf work...

0 Karma
Highlighted

Re: Why is source type override based on host not working?

Communicator

@sivacg try updating transforms.conf with WRITEMETA = false and restart indexer(s) for new changes to take effect and see if it works.

0 Karma
Highlighted

Re: Why is source type override based on host not working?

Explorer

I changed the WRITE_META value to false and restarted but still no luck @Rob2520. I am able to see the new sourcetype values in interested fields but not able to search for them.

0 Karma
Highlighted

Re: Why is source type override based on host not working?

SplunkTrust
SplunkTrust

Hi @siva_cg,

Your configuration is not correct to set sourcetype, look at answer given by me on this question https://answers.splunk.com/answers/686241/metadata-transforms-not-being-applied-after-series-1.html#...

Try to set transforms.conf like this

[index1_host1]
REGEX = host1
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype1

[index1_host2]
REGEX = host2
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype2

[index1_host3]
REGEX = host3
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype3

View solution in original post

Highlighted

Re: Why is source type override based on host not working?

Explorer

Thank you @harsmarvania57. It is working now.

0 Karma
Highlighted

Re: Why is source type override based on host not working?

Ultra Champion

Gorgeous - a bit counterintuitive FORMAT = sourcetype::sourcetype1 as DEST_KEY already species the destination via DEST_KEY = MetaData:Sourcetype.

0 Karma