Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Changing the sourcetype to remove spaces

jwhughes58
Contributor
‎01-17-2020 09:04 AM

I'm working on a TA to process Venafi messages brought in via RestAPI. When I was testing I used hostname in the props.conf file to call the transform to change the sourcetype. I can't do that in production because the production Windows servers send logs via the UF. I tried this yesterday in test.

props.conf
[source::Venafi\sTrust\sProtection\sPlatform]
TZ = US/Pacific
TRANSFORMS-venafi = venafi_sourcetype_rename

transforms.conf
[venafi_sourcetype_rename]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::venafi_tpp
REGEX = (.)

According to the Splunk documentation it is a source-matching pattern

  1. source::, where is the source, or source-matching pattern, for an event.

This is what I have to work with

source = Venafi Trust Protection Platform
sourcetype = Venafi TPP Log Event

Any ideas on how I can use source to reset sourcetype?

TIA,
Joe

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jwhughes58
Contributor
‎01-20-2020 10:41 AM

What I wound up doing was using source=Venafi* since Venafi only has the one feed.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jwhughes58
Contributor
‎01-20-2020 10:41 AM

What I wound up doing was using source=Venafi* since Venafi only has the one feed.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-18-2020 11:20 AM

Whatever you were doing in pre-prod should work fine in production, you just need to deploy it to your Indexer (or HF) tier.

0 Karma
Reply
Solved! Jump to solution

maciep
Champion
‎01-18-2020 06:34 AM

have you tried just putting the spaces in the source:: stanza? Not sure if you need regex there or why splunk wouldn't be able to handle spaces...but i've never tried.

Also, how is the data getting sent into Splunk...and is there a reason the sourcetype can't just be set there? I'm a little confused on the Rest API and the Windows UF part of the scenario...but likely it could be set at input time?

0 Karma
Reply
Solved! Jump to solution

jwhughes58
Contributor
‎01-20-2020 10:40 AM

The data is ingested by Splunk via the RestAPI. Unfortunately the application sets the sourcetype before sending the messages and the sourcetype can't be changed in the application UI.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...