Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to execute TRANSFORMS by source name in props.conf?

chrisboy68
Contributor
‎12-05-2016 11:12 AM

Hi,

Given the below:

inputs.conf

[monitor://\\MyServer\MyFolder]
disabled = false
host = MyServer
index = MyIndex
sourcetype = MySourceType
ignoreOlderThan = 2d
recursive = false
whitelist = (MyLog1\d+-\d+\.txt)|(MyLog2\d+-\d+\.txt)

props.conf

[MySourceType]
TRANSFORMS-trash = badError, badError2
BREAK_ONLY_BEFORE_DATE = TRUE
SHOULD_LINEMERGE = TRUE
TIME_FORMAT = %m/%d/%Y %T
TRUNCATE = 0
MAX_DAYS_AGO = 2
sourcetype = MySourceType


[source::.../\\Myfolder\\MyLog2*.txt]
TRANSFORMS-removejunk = setnull , setparsing

[source::..../MyServer\\MyFolder\\MyLog2*.txt]
TRANSFORMS-removejunk = setnull , setparsing


[source::\\\\MyServer\MyFolder\MyLog2*.txt]
TRANSFORMS-removejunk = setnull , setparsing

I'm trying to have a transform just for one of the log files (MyLog2) in the white list. The file is a UNC path and I have tried the 3 naming entries and nothing works. I use setnull and setparsing elsewhere so I know they function properly.

Is there a way to do this by source?

I have a workaround by creating a separate stanza just for this file, but it would be less configuration to be able to use the white list and execute a transform by source name.

Thank you,

Chris

0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎12-06-2016 02:06 PM

are you on a single full instance or in a distributed architecture with some forwarders ?
In the second case, your settings may not be deployed on the correct instance.

0 Karma
Reply

chrisboy68
Contributor
‎12-07-2016 07:26 AM

Single. No forwarders.

Thanks for trying to help.

Chris

0 Karma
Reply

lguinn2
Legend
‎12-05-2016 02:36 PM

I think that the problem is definitely in your source:: spec. And I believe that it should be

[source::\\\\MyServer\\MyFolder\\MyLog2*.txt]

You might want to review the props.conf Global Settings
I learn something new every time I read the props.conf documentation!

0 Karma
Reply

chrisboy68
Contributor
‎12-06-2016 08:49 AM

Thanks. I just tried :
[source::\\MyServer\MyFolder\MyLog2*.txt]
Still no go. Maybe I'm missing something in reading the props.conf docs...

Chris

0 Karma
Reply

lguinn2
Legend
‎12-07-2016 11:56 AM

Have you checked the file $SPLUNK_HOME/var/log/splunk/splunkd.log for any warnings or errors?
Also, just running $SPLUNK_HOME/bin/splunk btool check might also turn up something.

I'm running low on ideas...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...