Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Events with reassigned sourcetype (via props and transforms) become unsearchable

splunkIT
Splunk Employee
Splunk Employee
‎06-03-2015 08:30 AM

I have the following input:

--inputs.conf--
[monitor:///logs/cisco_raw.txt]
disabled = 0
sourcetype = syslog

The following props and transforms are configured to reassign the sourcetype from syslog to iosVoice, based on the hostname:

--props.conf--
[syslog]
TRANSFORMS-tr7 = set_sourcetype_cisco:ios:voice_by_host

--transforms.conf--
[set_sourcetype_cisco:ios:voice_by_host]
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = iosVoice
REGEX = myhost1.domain.com|myhost2.domain.com

When I search for:

index=main

Splunk is showing the correct sourcetyp: iosVoice

However, if I search:

index=main sourcetype="iosVoice"

Splunk would return 0 event. Why?

Reply
1 Solution
Solved! Jump to solution
Solution

splunkIT
Splunk Employee
Splunk Employee
‎06-03-2015 08:35 AM

The solution to this problem is that the I did not use

FORMAT = sourcetype::iosVoice

for my format field in transforms.conf. This exact example is actually in the documentation for Splunk here: http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-03-2015 08:36 AM

Did you put this file on every one of your indexers and then bounce Splunk on each one afterward?

$SPLUNK_HOME/bin/splunk restart
0 Karma
Reply
Solved! Jump to solution
Solution

splunkIT
Splunk Employee
Splunk Employee
‎06-03-2015 08:35 AM

The solution to this problem is that the I did not use

FORMAT = sourcetype::iosVoice

for my format field in transforms.conf. This exact example is actually in the documentation for Splunk here: http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...