Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Dynamic sourcetype based on source not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to set sourcetype based on a regex from the source path during indexing, and it is not working.
What am I doing wrong?
props.conf
[source::/var/log/docker/...]
TRANSFORMS-setsourcetype = setsourcetype
transforms.conf
[setsourcetype]
SOURCE_KEY = source
REGEX = ^\/var\/log\/docker\/[^\/]*\/([^\/]*)
FORMAT = sourcetype::$1
DEST_KEY = MetaData:Sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The SOURCE_KEY should be MetaData:Source.
Ensure, the configurations are deployed in first full SPlunk instance (heavy forwarder OR indexer)
If it still doesn't work, try [source::/var/log/docker/*] instead of [source::/var/log/docker/...]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The SOURCE_KEY should be MetaData:Source.
Ensure, the configurations are deployed in first full SPlunk instance (heavy forwarder OR indexer)
If it still doesn't work, try [source::/var/log/docker/*] instead of [source::/var/log/docker/...]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I changed props to [source::/var/log/docker//] and verified it is working by adding a SEDCMD.
SOURCE_KEY = MetaData:Source is not working in transforms.conf (I think that should technically be the correct solution, though)
I'll put in a ticket with Splunk support and report back here what we find out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like there may be stray characters on the value of source. I added global matches on either end of the source value and now it is parsing fine.
props.conf
[source::/var/log/docker//]
TRANSFORMS-setsourcetype_from_source = setsourcetype_from_source
transforms.conf:
[setsourcetype_from_source]
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY = MetaData:Source
REGEX = .*\/var\/log\/docker\/[^\/]+\/([^\/]+).*
FORMAT = sourcetype::$1
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Mile High Learning with Splunk University, Denver, Colorado
IT Service Intelligence 5.0 Series: Your Guide to the June Launch
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
