Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Assigning sourcetype to a source in HeavyForwarder props.conf is not working

greggz
Communicator
‎01-04-2018 07:54 AM

Shouldn't this work ? Only If I assign the sourcetype in the inputs.conf of the Universal forwarder this works.. But I don't want to assign it in UF. 

[source::///...../config/server.cnf]
sourcetype=my_weird_sourcetype

I'm on linux btw.

0 Karma
Reply

somesoni2
Revered Legend
‎01-04-2018 08:54 AM

As per http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf#Sourcetype_configuration , 

* sourcetype assignment settings on a system receiving forwarded splunk data
  will not be applied to forwarded data.

You heavy forwarder is receiving forwarded data from UF and forwarding it to Indexers, so it doesn't work there. Any specific reason for not doing sourcetype assignment from inputs.conf?

If you still want to do sourcetype assignment from HF, try this

HF props.conf

[source::..../config/server.cnf]
TRANSFORMS-stoverride =  set_my_weird_sourcetype

HF transforms.conf

[set_my_weird_sourcetype]
DEST_KEY = MetaData:Sourcetype
REGEX = .
FORMAT = sourcetypet::$1
Reply

greggz
Communicator
‎01-04-2018 09:17 AM

Btw man, what can I do if I want to override a sourcetype that I have already assigned ? Example:

For a ".cnf" file I assign a generic sourceType. But sometimes in those files, it comes XML written and I wanted to assign a new sourcetype with "KV_MODE = xml". Any ideas, like a Regex searching inside the file and alert me for a XML match and then assign that very XmlSourceType ? Thanks

0 Karma
Reply

greggz
Communicator
‎01-04-2018 09:10 AM

Yeh, I also read this in the docs:

Note: If you forward data, and you want to assign a source type for a source, you must assign the source type in props.conf on the forwarder. If you do it in props.conf on the receiver, the override has no effect.

So I started using in the props.conf in the UF and it worked. I'll try your version on the HF now. Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...