- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do i clone one sourcetype multiple times?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI
Currently i copy a sourcetypes with TRANSFORMS-CLONE and it works, example below.
But i want to use TRANSFORMS-CLONE multiple times from the original props.conf is that possible?
Current Situation
Forwarder
[monitor:///net/hp737srv/hp737srv1/apps/TEST/JAVA_11_TEST_FILES/FULL_LOGS_NO2/logs.../*]
sourcetype = G1
crcSalt = <SOURCE>
props.conf
[G1]
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA
transforms.conf
[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = sun_jvm
REGEX = .
However I now have to make more TRANSFORMS-CLONE work from more then 1 (This does not work)
props.conf
[G1]
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA2
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA3
Or if i tried the other way in the to clone in the transforms.conf multiple times (it does not work either)
And use multiple CLONE_SOURCETYPE_JAVA in the transforms.conf, it only pick one of them not the second one.
transforms.conf
[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = sun_jvm
REGEX = .
[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = GC11
REGEX = .
It does work if i push one to another and then again to another...but this creates a long string. JAVA->GC11->sun_jvm
I want it to come in a sourcetype X. Then copy X to A,B,C and not have a long string
Thanks in Advance for any help
Rob 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf
[G1]
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA_sun_jvm,CLONE_SOURCETYPE_JAVA_gc11
transforms.conf
[CLONE_SOURCETYPE_JAVA_sun_jvm]
CLONE_SOURCETYPE = sun_jvm
REGEX = .
[CLONE_SOURCETYPE_JAVA_gc11]
CLONE_SOURCETYPE = GC11
REGEX = .
Although I'm not sure I understand why you want to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf
[G1]
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA_sun_jvm,CLONE_SOURCETYPE_JAVA_gc11
transforms.conf
[CLONE_SOURCETYPE_JAVA_sun_jvm]
CLONE_SOURCETYPE = sun_jvm
REGEX = .
[CLONE_SOURCETYPE_JAVA_gc11]
CLONE_SOURCETYPE = GC11
REGEX = .
Although I'm not sure I understand why you want to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perfect, can you change to a an answer and i will accept it please.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need this as the files that come in *.gc.log can be many different garabage collection ways, JAVA 8,9,11 J1 etc.... So i have to take them in and use REGEX to decide what is what.
thanks
There's No Place Like Chrome and the Splunk Platform
The Great Resilience Quest: 5th Leaderboard Update
Devesh Logendran, Splunk, and the Singapore Cyber Conquest
