Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Change sourcetype via field extraction and transforms

niboucher
Explorer
‎10-02-2018 02:56 AM

Hi there,

One of UF is configured to send logs to sourcetype testData.
I'd like to push some of those logs matching a certain pattern (all logs matching the "[A][B]" pattern) to sourcetype testData_B.

Sample of log

[A][B] blabla
[A][C] blabla

I tried to use transforms and field extraction but I couldn't make it work. I don't have ssh access so I did via the web interface

Transformation
alt text

Field extraction
alt text

What's wrong with my setup?

Thanks!

Tags (1)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-04-2018 01:48 AM

I have ingested below data in my lab environment with below config and it is working fine (Splunk version 7.1.2)

[A][B] blabla
[A][C] blabla

props.conf (In below config I have given DATETIME_CONFIG = CURRENT because in sample data we don't have any timestamp)

[testData]
TRANSFORMS-testProp = testData_trans
SHOULD_LINEMERGE = False
DATETIME_CONFIG = CURRENT
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true

transforms.conf

[testData_trans]
DEST_KEY = MetaData:Sourcetype
REGEX = \[A\]\[B\]
FORMAT = sourcetype::testData_B

With above config [A][B] blabla line indexed with sourcetype testData_B and [A][C] blabla line indexed with sourcetype testData

0 Karma
Reply

niboucher
Explorer
‎10-02-2018 09:14 AM

I tried to modify directly props.conf and transforms.conf and restart splunk but that didn't make it

transforms.conf

[testData_trans]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (\[A\]\[B\].*)
FORMAT = sourcetype::testData_B

props.conf

 [sourcetype::testData]
 TRANSFORMS-testProp = testData_trans

Do you guys have any idea that could help me make this work?

0 Karma
Reply

niboucher
Explorer
‎10-04-2018 09:59 AM

Thanks a lot man!
The problem was certainly caused by the lack of timestamp.
Setting it to CURRENT and using the regex you provided made it work.

Niboucher

0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-04-2018 11:24 AM

Great that it worked, DATETIME_CONFIG = CURRENT assigns timestamp from splunk server itself, which means when data indexed whatever time present on splunk server that time will be assigned to events.

I have converted my comment to answers, so that you can accept & upvote it.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-02-2018 09:36 AM

Config should be like this

props.conf

[testData]
TRANSFORMS-testProp = testData_trans

transforms.conf

[testData_trans]
DEST_KEY = MetaData:Sourcetype
REGEX = (\[A\]\[B\].*)
FORMAT = sourcetype::testData_B
0 Karma
Reply

niboucher
Explorer
‎10-03-2018 12:56 AM

That didn't work either.

UF conf
inputs.conf

[monitor:///var/log/containers/*.log]
sourcetype = testData
recursive = false

Indexer conf
props.conf

 [testData]
 TRANSFORMS-testProp = testData_trans

transforms.conf

 [testData_trans]
 DEST_KEY = MetaData:Sourcetype
 REGEX = (\[A\]\[B\].*)
 FORMAT = sourcetype::testData_B
0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-03-2018 01:15 AM

It should work, can you please try with REGEX = \[A\]\[B\] in transforms.conf, don't forget to restart splunk.

Additionally data which is already indexed with old sourcetype will not change only new data which will come to Indexer now onwards will have new sourcetype (Here I am guessing that UF is sending logs to Indexer directly and not via Heavy Forwarder)

0 Karma
Reply

niboucher
Explorer
‎10-04-2018 12:45 AM

it didn't work

When I use regex below, it works and index everything in the dest sourcetype but adding a pattern inside the capturing group breaks it
REGEX= (.*)

0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-02-2018 05:59 AM

Hi @niboucher,

Do you want to index data in different sourcetype when it comes to Indexer ? Are you running single instance, distributed environment or clustered environment ?

If you don't have ssh access to splunk server you can use REST API to do configuration on indexers but this approach is not suitable for clustered indexer, you can find Splunk SDK Python script on this answer to create props.conf configuration, similarly you can create configuration for transforms.conf (Here is another answer which will help you to do configuration which you will require to rename sourcetype based on REGEX)

0 Karma
Reply

niboucher
Explorer
‎10-02-2018 06:44 AM

Hey,

Exactly!
I want data to be indexed in a different sourcetype when data arrives to the indexer.
It's a clustered environnment and I have very limited rights as a user.
REST API doesn't seem to be a suitable option.

I will deploy a new splunk instance with full admin rights to try to modify directly transforms.conf and props.conf

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...