Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do i clone one sourcetype multiple times?

robertlynch2020
Motivator
‎02-21-2020 03:18 AM

HI

Currently i copy a sourcetypes with TRANSFORMS-CLONE and it works, example below.
But i want to use TRANSFORMS-CLONE multiple times from the original props.conf is that possible?

Current Situation

Forwarder
[monitor:///net/hp737srv/hp737srv1/apps/TEST/JAVA_11_TEST_FILES/FULL_LOGS_NO2/logs.../*]
sourcetype = G1
crcSalt = <SOURCE>

props.conf
[G1]
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA

transforms.conf
[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = sun_jvm
REGEX = .

However I now have to make more TRANSFORMS-CLONE work from more then 1 (This does not work)

props.conf
[G1]
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA2
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA3

Or if i tried the other way in the to clone in the transforms.conf multiple times (it does not work either)

And use multiple CLONE_SOURCETYPE_JAVA in the transforms.conf, it only pick one of them not the second one.

transforms.conf
[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = sun_jvm
REGEX = .

[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = GC11
REGEX = .

It does work if i push one to another and then again to another...but this creates a long string. JAVA->GC11->sun_jvm
I want it to come in a sourcetype X. Then copy X to A,B,C and not have a long string

Thanks in Advance for any help
Rob 🙂

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-21-2020 04:20 AM 
 props.conf
 [G1]
 TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA_sun_jvm,CLONE_SOURCETYPE_JAVA_gc11

transforms.conf
 [CLONE_SOURCETYPE_JAVA_sun_jvm]
 CLONE_SOURCETYPE = sun_jvm
 REGEX = .

[CLONE_SOURCETYPE_JAVA_gc11]
 CLONE_SOURCETYPE = GC11
 REGEX = .

Although I'm not sure I understand why you want to do this?

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-21-2020 04:20 AM 
 props.conf
 [G1]
 TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA_sun_jvm,CLONE_SOURCETYPE_JAVA_gc11

transforms.conf
 [CLONE_SOURCETYPE_JAVA_sun_jvm]
 CLONE_SOURCETYPE = sun_jvm
 REGEX = .

[CLONE_SOURCETYPE_JAVA_gc11]
 CLONE_SOURCETYPE = GC11
 REGEX = .

Although I'm not sure I understand why you want to do this?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Motivator
‎02-21-2020 04:30 AM

perfect, can you change to a an answer and i will accept it please.

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Motivator
‎02-21-2020 04:53 AM

I need this as the files that come in *.gc.log can be many different garabage collection ways, JAVA 8,9,11 J1 etc.... So i have to take them in and use REGEX to decide what is what.

thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...