- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Getting Data into iseries app
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting Data into iseries app
I have multiple feeds coming into UDP:514, from this input I have ASA, ESA, and as400 data coming in. I have recently installed the iseries app and am having trouble getting data into it. The data coming from UDP:514 all goes to sourcetype= syslog using this stanza in the global settings
ect\system\inputs.conf
[udp://514]
connection_host = ip
index = index_syslog
sourcetype = syslog
in the iseries apps local i want to split out the data that comes from the as400 by changing the sourcetype to [as400]. to do this I attempted to use the stanza in file
etc\apps\iseries\local\inputs.conf
[as400]
search = sourcetype= syslog
disabled = 0
but it did not work. So my question is how do I extract just the as400 data out of my UDP:514 input and change the sourcetype so that the data will flow into the iseries app properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can well believe that your inputs.conf did not work, as the syntax is not at all what Splunk expects.
You will need to use the props.conf and transforms.conf files to override the sourcetype setting on events arriving from the network port. There is a good example in the documentation on how to override default host assignments. You can use this same idea to reset the sourcetype. Your props.conf and transforms.conf might look like this:
props.conf
[syslog]
TRANSFORMS-syslog1=reset-sourcetype
transforms.conf
[reset-sourcetype]
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
REGEX = (?i)as400
FORMAT = sourcetype::as400
This assumes that your host is being set properly. If it doesn't work, post back - there is another way to do this as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know what you mean by "source type being assigned correctly at etc/system level" - it would be helpful if you could show the relevant config file snippets..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I now have the data sorted by host and the as400 sourcetype is being assigned correctly at the ect system level. My problem is now that the app is not seeing the as400 sourcetype and accepting the data. within the app i have tried different configuration with non of them working.
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
