Solved: How to rename sourcetype in props.conf?

SalimRahmani · ‎07-17-2014

Hi,

After setting up a listen on UDP port (514) for syslog using inputs.conf, I tried to change the sourcetype from syslog (set in inputs.conf) to syslog_nf. Thus, i used the first method

props.conf
[source::udp:514]
sourcetype = syslog_nf

this doesn't change anything!
However, when I do:
[syslog]
rename = syslog_nf

the change happens! Does anyone have any idea about this?

strive · ‎07-17-2014

Try this.

First define sourcetye in transforms.conf. Something like

[set_sourcetype_syslog_nf]
FORMAT = sourcetype::syslong_nf
DEST_KEY = MetaData:Sourcetype

Note: Check if you need any REGEX.

Then, in props.conf

[source::udp:514]  
TRANSFORMS-changesourcetype = set_sourcetype_syslog_nf

But, As somesoni2 commented, i would also suggest to set sourcetypes in inputs.conf

View solution in original post

strive · ‎07-17-2014

Try this.

First define sourcetye in transforms.conf. Something like

[set_sourcetype_syslog_nf]
FORMAT = sourcetype::syslong_nf
DEST_KEY = MetaData:Sourcetype

Note: Check if you need any REGEX.

Then, in props.conf

[source::udp:514]  
TRANSFORMS-changesourcetype = set_sourcetype_syslog_nf

But, As somesoni2 commented, i would also suggest to set sourcetypes in inputs.conf

somesoni2 · ‎07-17-2014

Try changing the sourcetype directly in inputs.conf. Its simpler than doing the same thing through props.conf.

How to rename sourcetype in props.conf?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation