Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Assigning sourcetype to a source in HeavyForwarder props.conf is not working

greggz
Communicator
‎01-04-2018 07:54 AM

Shouldn't this work ? Only If I assign the sourcetype in the inputs.conf of the Universal forwarder this works.. But I don't want to assign it in UF. 

[source::///...../config/server.cnf]
sourcetype=my_weird_sourcetype

I'm on linux btw.

0 Karma
Reply

somesoni2
Revered Legend
‎01-04-2018 08:54 AM

As per http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf#Sourcetype_configuration , 

* sourcetype assignment settings on a system receiving forwarded splunk data
  will not be applied to forwarded data.

You heavy forwarder is receiving forwarded data from UF and forwarding it to Indexers, so it doesn't work there. Any specific reason for not doing sourcetype assignment from inputs.conf?

If you still want to do sourcetype assignment from HF, try this

HF props.conf

[source::..../config/server.cnf]
TRANSFORMS-stoverride =  set_my_weird_sourcetype

HF transforms.conf

[set_my_weird_sourcetype]
DEST_KEY = MetaData:Sourcetype
REGEX = .
FORMAT = sourcetypet::$1
Reply

greggz
Communicator
‎01-04-2018 09:17 AM

Btw man, what can I do if I want to override a sourcetype that I have already assigned ? Example:

For a ".cnf" file I assign a generic sourceType. But sometimes in those files, it comes XML written and I wanted to assign a new sourcetype with "KV_MODE = xml". Any ideas, like a Regex searching inside the file and alert me for a XML match and then assign that very XmlSourceType ? Thanks

0 Karma
Reply

greggz
Communicator
‎01-04-2018 09:10 AM

Yeh, I also read this in the docs:

Note: If you forward data, and you want to assign a source type for a source, you must assign the source type in props.conf on the forwarder. If you do it in props.conf on the receiver, the override has no effect.

So I started using in the props.conf in the UF and it worked. I'll try your version on the HF now. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...