- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can I override sourcetype and redirect to ano...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
I want to override sourcetype for all events before being indexed and redirect some of those events (those with ERROR) to another index with the overridden sourcetype.
So, I need events to be spread between two indexes: test1 and test2 (with ERROR events) and I need all of the events to have the same access_combined sourcetype.
I use oneshot command to ingest data from a file:
>splunk add oneshot C://opt/log.txt -index test1 -sourcetype test_sourcetype
and now my props.conf looks like this:
[host::myhost]
LINE_BREAKER = \d+(&)
SHOULD_LINEMERGE = false
TRANSFORMS = custom_sourcetype
TRANSFORMS = route_notfound
LINE_BREAKER is here because its a oneline log, so I need to break it into events and it works fine.
and my transforms.conf:
[custom_sourcetype]
SOURCE_KEY = _raw
REGEX = .*
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::access_combined
[route_notfound]
REGEX = ERROR
DEST_KEY = _MetaData:Index
FORMAT = another_index
and if I use those transforms seperately they work fine (i switch them off by using # in props.conf) but they do not work together....
How can I do those two things in one step? before data being indexed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your props.conf, TRANSFORMS must have a unique name.
Please try this,
props.conf:
[host::myhost]
LINE_BREAKER = \d+(&)
SHOULD_LINEMERGE = false
TRANSFORMS-override = custom_sourcetype
TRANSFORMS-route = route_notfound
OR
[host::myhost]
LINE_BREAKER = \d+(&)
SHOULD_LINEMERGE = false
TRANSFORMS-mywork = custom_sourcetype, route_notfound
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your props.conf, TRANSFORMS must have a unique name.
Please try this,
props.conf:
[host::myhost]
LINE_BREAKER = \d+(&)
SHOULD_LINEMERGE = false
TRANSFORMS-override = custom_sourcetype
TRANSFORMS-route = route_notfound
OR
[host::myhost]
LINE_BREAKER = \d+(&)
SHOULD_LINEMERGE = false
TRANSFORMS-mywork = custom_sourcetype, route_notfound
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works like a charm! Thank you very much!
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
