sourcetype = cyrus

stwong · ‎06-20-2018

Hi all,

Seems we have to override the sourcetype to sourcetype other than 'recognized' ones (e.g. syslog) in order to make host_segment work. e.g.

[monitor:///ssd/*/*/cyrus.log]
disabled = false
host_segment = 3
index = test
sourcetype = cyrus

However, for some cases, we hope to make use of sourcetype from Splunk (e.g. syslog) but use host_segment instead of host parsed in the log content for that particular sourcetype. Possible to do that at inputs.conf without touching other config files like props.conf or transform.conf?

Sorry for the newbie question.

Thanks and regards

FrankVl · ‎06-21-2018

Syslog sourcetype comes with a TRANSFORMS stanza in etc/system/default/props.conf that pulls the hostname from the event. If you don't want that to happen, add the following empty transforms setting in your own local props.conf, to disable that feature for this particular source.

[source::/ssd/*/*/cyrus.log]
TRANSFORMS =

View solution in original post

FrankVl · ‎06-21-2018

Syslog sourcetype comes with a TRANSFORMS stanza in etc/system/default/props.conf that pulls the hostname from the event. If you don't want that to happen, add the following empty transforms setting in your own local props.conf, to disable that feature for this particular source.

[source::/ssd/*/*/cyrus.log]
TRANSFORMS =

stwong · ‎06-21-2018

tried but seems not working - still gets hostname from log content. My inputs.conf looks like following:

[monitor:///ssd///cyrus.log]
ignoreOlderThan=1d
disabled = false
TRANSFORMS =
TRANSFORMS-host =
host_segment = 3
index = test

sourcetype = cyrus

Did I miss anything?

Thanks and rgds

FrankVl · ‎06-21-2018

The source based stanza incl. the empty transforms as I put it in my answer should go into props.conf, not inputs.conf.

stwong · ‎06-21-2018

stupid me. sorry for the newbie mistake...

Just put following in props.conf but seems no effect.

[source::/ssd///cyrus.log]
TRANSFORMS =
TRANSFORMS-host =

splunk btools props list shows the setting is correct. Would you help? Thanks again.

FrankVl · ‎06-21-2018

Hmm, I would think that should overwrite the setting in default/props.conf. Can you try setting it under [syslog] in props.conf, rather than that source based stanza?

PS: where are you deploying this props.conf? It should be on heavy forwarder or indexer. If you are collecting this data with a universal forwarder, it doesn't work putting this props.conf on the UF.

stwong · ‎06-21-2018

It should be on heavy forwarder or indexer

Got it. Will this overrides host part for all data with sourcetype=syslog?
Chances are we hope to use host_segments for syslog data on some UF, while keep using host in log content for some other UF.

Sorry to bother again.
Thanks a lot.

FrankVl · ‎06-21-2018

When you set it for [syslog] it applies to all feeds with that sourcetype. So better set it using a source based stanza as I originally suggested (assuming that indeed works).

stwong · ‎06-22-2018

Noted and thanks. Will try it out.

stwong · ‎06-21-2018

Got it. Thanks a lot.

Can you override sourcetype at inputs.conf without touching other config files ?

sourcetype = cyrus

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!