I'm working on a TA to process Venafi messages brought in via RestAPI. When I was testing I used hostname in the props.conf file to call the transform to change the sourcetype. I can't do that in production because the production Windows servers send logs via the UF. I tried this yesterday in test.
TZ = US/Pacific
TRANSFORMS-venafi = venafi_sourcetype_rename
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::venafi_tpp
REGEX = (.)
According to the Splunk documentation it is a source-matching pattern
This is what I have to work with
source = Venafi Trust Protection Platform
sourcetype = Venafi TPP Log Event
Any ideas on how I can use source to reset sourcetype?
have you tried just putting the spaces in the source:: stanza? Not sure if you need regex there or why splunk wouldn't be able to handle spaces...but i've never tried.
Also, how is the data getting sent into Splunk...and is there a reason the sourcetype can't just be set there? I'm a little confused on the Rest API and the Windows UF part of the scenario...but likely it could be set at input time?
The data is ingested by Splunk via the RestAPI. Unfortunately the application sets the sourcetype before sending the messages and the sourcetype can't be changed in the application UI.