Getting Data In

Changing the sourcetype to remove spaces

jwhughes58
Contributor

I'm working on a TA to process Venafi messages brought in via RestAPI. When I was testing I used hostname in the props.conf file to call the transform to change the sourcetype. I can't do that in production because the production Windows servers send logs via the UF. I tried this yesterday in test.

props.conf
[source::Venafi\sTrust\sProtection\sPlatform]
TZ = US/Pacific
TRANSFORMS-venafi = venafi_sourcetype_rename

transforms.conf
[venafi_sourcetype_rename]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::venafi_tpp
REGEX = (.)

According to the Splunk documentation it is a source-matching pattern

  1. source::, where is the source, or source-matching pattern, for an event.

This is what I have to work with

source = Venafi Trust Protection Platform
sourcetype = Venafi TPP Log Event

Any ideas on how I can use source to reset sourcetype?

TIA,
Joe

0 Karma
1 Solution

jwhughes58
Contributor

What I wound up doing was using source=Venafi* since Venafi only has the one feed.

View solution in original post

0 Karma

jwhughes58
Contributor

What I wound up doing was using source=Venafi* since Venafi only has the one feed.

0 Karma

woodcock
Esteemed Legend

Whatever you were doing in pre-prod should work fine in production, you just need to deploy it to your Indexer (or HF) tier.

0 Karma

maciep
Champion

have you tried just putting the spaces in the source:: stanza? Not sure if you need regex there or why splunk wouldn't be able to handle spaces...but i've never tried.

Also, how is the data getting sent into Splunk...and is there a reason the sourcetype can't just be set there? I'm a little confused on the Rest API and the Windows UF part of the scenario...but likely it could be set at input time?

0 Karma

jwhughes58
Contributor

The data is ingested by Splunk via the RestAPI. Unfortunately the application sets the sourcetype before sending the messages and the sourcetype can't be changed in the application UI.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...