Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do i clone one sourcetype multiple times?

robertlynch2020
Influencer
‎02-21-2020 03:18 AM

HI

Currently i copy a sourcetypes with TRANSFORMS-CLONE and it works, example below.
But i want to use TRANSFORMS-CLONE multiple times from the original props.conf is that possible?

Current Situation

Forwarder
[monitor:///net/hp737srv/hp737srv1/apps/TEST/JAVA_11_TEST_FILES/FULL_LOGS_NO2/logs.../*]
sourcetype = G1
crcSalt = <SOURCE>

props.conf
[G1]
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA

transforms.conf
[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = sun_jvm
REGEX = .

However I now have to make more TRANSFORMS-CLONE work from more then 1 (This does not work)

props.conf
[G1]
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA2
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA3

Or if i tried the other way in the to clone in the transforms.conf multiple times (it does not work either)

And use multiple CLONE_SOURCETYPE_JAVA in the transforms.conf, it only pick one of them not the second one.

transforms.conf
[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = sun_jvm
REGEX = .

[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = GC11
REGEX = .

It does work if i push one to another and then again to another...but this creates a long string. JAVA->GC11->sun_jvm
I want it to come in a sourcetype X. Then copy X to A,B,C and not have a long string

Thanks in Advance for any help
Rob 🙂

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-21-2020 04:20 AM 
 props.conf
 [G1]
 TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA_sun_jvm,CLONE_SOURCETYPE_JAVA_gc11

transforms.conf
 [CLONE_SOURCETYPE_JAVA_sun_jvm]
 CLONE_SOURCETYPE = sun_jvm
 REGEX = .

[CLONE_SOURCETYPE_JAVA_gc11]
 CLONE_SOURCETYPE = GC11
 REGEX = .

Although I'm not sure I understand why you want to do this?

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-21-2020 04:20 AM 
 props.conf
 [G1]
 TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA_sun_jvm,CLONE_SOURCETYPE_JAVA_gc11

transforms.conf
 [CLONE_SOURCETYPE_JAVA_sun_jvm]
 CLONE_SOURCETYPE = sun_jvm
 REGEX = .

[CLONE_SOURCETYPE_JAVA_gc11]
 CLONE_SOURCETYPE = GC11
 REGEX = .

Although I'm not sure I understand why you want to do this?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎02-21-2020 04:30 AM

perfect, can you change to a an answer and i will accept it please.

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎02-21-2020 04:53 AM

I need this as the files that come in *.gc.log can be many different garabage collection ways, JAVA 8,9,11 J1 etc.... So i have to take them in and use REGEX to decide what is what.

thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...