I'm trying to set sourcetype based on a regex from the source path during indexing, and it is not working. What am I doing wrong?
props.conf
[source::/var/log/docker/...] TRANSFORMS-setsourcetype = setsourcetype
transforms.conf
[setsourcetype] SOURCE_KEY = source REGEX = ^\/var\/log\/docker\/[^\/]*\/([^\/]*) FORMAT = sourcetype::$1 DEST_KEY = MetaData:Sourcetype
The SOURCE_KEY should be MetaData:Source.
SOURCE_KEY
MetaData:Source
Ensure, the configurations are deployed in first full SPlunk instance (heavy forwarder OR indexer)
If it still doesn't work, try [source::/var/log/docker/*] instead of [source::/var/log/docker/...]
[source::/var/log/docker/*]
[source::/var/log/docker/...]
View solution in original post
I changed props to [source::/var/log/docker//] and verified it is working by adding a SEDCMD.
SOURCE_KEY = MetaData:Source is not working in transforms.conf (I think that should technically be the correct solution, though)
I'll put in a ticket with Splunk support and report back here what we find out.
Looks like there may be stray characters on the value of source. I added global matches on either end of the source value and now it is parsing fine.
props.conf [source::/var/log/docker//] TRANSFORMS-setsourcetype_from_source = setsourcetype_from_source
transforms.conf: [setsourcetype_from_source] DEST_KEY = MetaData:Sourcetype SOURCE_KEY = MetaData:Source REGEX = .*\/var\/log\/docker\/[^\/]+\/([^\/]+).* FORMAT = sourcetype::$1
