Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Getting Data into iseries app

jarjoh42
Path Finder
‎01-03-2013 10:54 AM

I have multiple feeds coming into UDP:514, from this input I have ASA, ESA, and as400 data coming in. I have recently installed the iseries app and am having trouble getting data into it. The data coming from UDP:514 all goes to sourcetype= syslog using this stanza in the global settings

ect\system\inputs.conf

[udp://514]
connection_host = ip
index = index_syslog
sourcetype = syslog

in the iseries apps local i want to split out the data that comes from the as400 by changing the sourcetype to [as400]. to do this I attempted to use the stanza in file

etc\apps\iseries\local\inputs.conf

[as400]
search = sourcetype= syslog
disabled = 0

but it did not work. So my question is how do I extract just the as400 data out of my UDP:514 input and change the sourcetype so that the data will flow into the iseries app properly.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎01-03-2013 12:28 PM

I can well believe that your inputs.conf did not work, as the syntax is not at all what Splunk expects.

You will need to use the props.conf and transforms.conf files to override the sourcetype setting on events arriving from the network port. There is a good example in the documentation on how to override default host assignments. You can use this same idea to reset the sourcetype. Your props.conf and transforms.conf might look like this:

props.conf

[syslog]
TRANSFORMS-syslog1=reset-sourcetype

transforms.conf

[reset-sourcetype]
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
REGEX = (?i)as400
FORMAT = sourcetype::as400

This assumes that your host is being set properly. If it doesn't work, post back - there is another way to do this as well.

Reply

lguinn2
Legend
‎06-17-2013 09:36 AM

I don't know what you mean by "source type being assigned correctly at etc/system level" - it would be helpful if you could show the relevant config file snippets..

0 Karma
Reply

jarjoh42
Path Finder
‎06-17-2013 07:28 AM

I now have the data sorted by host and the as400 sourcetype is being assigned correctly at the ect system level. My problem is now that the app is not seeing the as400 sourcetype and accepting the data. within the app i have tried different configuration with non of them working.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...