Solved: How can I set the sourcetype to a value from the i...

ddrillic · ‎04-16-2017

I have a name value data stream which contains the following - "msg_sourcetype": "syslog-test". How can I set the sourcetype to be - syslog-test?

The following works - | rex "msg_sourcetype\": \"(?<one>[a-zA-Z]*)" ignoring the dash for now.

So, I guess in transforms.conf, I can have something like following, but I'm not sure about the one field...

[<our>_sourcetype]
REGEX = "msg_sourcetype\": \"(?<one>[a-zA-Z]*)" 
FORMAT = sourcetype::$1
DEST_KEY = MetaData:Sourcetype

The following is a big help - Set host values based on event data

lguinn2 · ‎04-17-2017

The following should work. Note that you do not give the field a name in the regular expression. Also, your regular expression did not give the dash as a possible character, so it would not be able to extract syslog-test. Are there any other characters that you should also include?

 [old_sourcetype]
 REGEX = \"msg_sourcetype\": \"([a-zA-Z-]*)\"
 FORMAT = sourcetype::$1
 DEST_KEY = MetaData:Sourcetype

View solution in original post

lguinn2 · ‎04-17-2017

The following should work. Note that you do not give the field a name in the regular expression. Also, your regular expression did not give the dash as a possible character, so it would not be able to extract syslog-test. Are there any other characters that you should also include?

 [old_sourcetype]
 REGEX = \"msg_sourcetype\": \"([a-zA-Z-]*)\"
 FORMAT = sourcetype::$1
 DEST_KEY = MetaData:Sourcetype

ddrillic · ‎04-19-2017

Perfect - thank you!!!

How can I set the sourcetype to a value from the input stream?

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

Splunk Smartness with Brandon Sternfield | Episode 3