Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do i clone one sourcetype multiple times?

robertlynch2020
Influencer
‎02-21-2020 03:18 AM

HI

Currently i copy a sourcetypes with TRANSFORMS-CLONE and it works, example below.
But i want to use TRANSFORMS-CLONE multiple times from the original props.conf is that possible?

Current Situation

Forwarder
[monitor:///net/hp737srv/hp737srv1/apps/TEST/JAVA_11_TEST_FILES/FULL_LOGS_NO2/logs.../*]
sourcetype = G1
crcSalt = <SOURCE>

props.conf
[G1]
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA

transforms.conf
[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = sun_jvm
REGEX = .

However I now have to make more TRANSFORMS-CLONE work from more then 1 (This does not work)

props.conf
[G1]
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA2
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA3

Or if i tried the other way in the to clone in the transforms.conf multiple times (it does not work either)

And use multiple CLONE_SOURCETYPE_JAVA in the transforms.conf, it only pick one of them not the second one.

transforms.conf
[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = sun_jvm
REGEX = .

[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = GC11
REGEX = .

It does work if i push one to another and then again to another...but this creates a long string. JAVA->GC11->sun_jvm
I want it to come in a sourcetype X. Then copy X to A,B,C and not have a long string

Thanks in Advance for any help
Rob 🙂

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-21-2020 04:20 AM 
 props.conf
 [G1]
 TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA_sun_jvm,CLONE_SOURCETYPE_JAVA_gc11

transforms.conf
 [CLONE_SOURCETYPE_JAVA_sun_jvm]
 CLONE_SOURCETYPE = sun_jvm
 REGEX = .

[CLONE_SOURCETYPE_JAVA_gc11]
 CLONE_SOURCETYPE = GC11
 REGEX = .

Although I'm not sure I understand why you want to do this?

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-21-2020 04:20 AM 
 props.conf
 [G1]
 TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA_sun_jvm,CLONE_SOURCETYPE_JAVA_gc11

transforms.conf
 [CLONE_SOURCETYPE_JAVA_sun_jvm]
 CLONE_SOURCETYPE = sun_jvm
 REGEX = .

[CLONE_SOURCETYPE_JAVA_gc11]
 CLONE_SOURCETYPE = GC11
 REGEX = .

Although I'm not sure I understand why you want to do this?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎02-21-2020 04:30 AM

perfect, can you change to a an answer and i will accept it please.

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎02-21-2020 04:53 AM

I need this as the files that come in *.gc.log can be many different garabage collection ways, JAVA 8,9,11 J1 etc.... So i have to take them in and use REGEX to decide what is what.

thanks

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...