Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to split data into separate sourcetypes with transforms

the_rains
Engager
‎04-23-2021 07:18 AM

I am trying to split some data into difference source types using a lookup table. 

I am testing this locally.

I have a source type called A and wish to extract fields to source type B

A snippet of my data is below.

 

4/23/21
11:30:29.000 AM	
23 Fri Apr 23 2021 11:30:29 www1 sshd[4878]: Failed password for invalid user SAMPLE123:ABC11:snmp from 10.0.0.1 port 3118 ssh

    host = 192.168.1.1
    source = /A.log
    sourcetype = A

 

 

props.conf

 

 

[a]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
LOOKUP-alookup = lookuptable snmp_trap AS host OUTPUT host AS host_output
TRANSFORMS-changesourcetype = B

 

 

Transforms.conf 

 

[lookuptable]
batch_index_query = 0
case_sensitive_match = 0
filename = lookuptable.csv
max_matches = 1
min_matches = 1

 

 

 

host	snmp_poll	syslog	snmp_trap
10.0.01	SAMPLE123:ABC11:ipfix	SAMPLE123:ABC11:snmp_trap SAMPLE123:ABC11:syslog

 

 

I have achieved similar in the past using Regex to separate source type but having issues doing this via a lookup table

 

Any help appreciated. 

 

Labels (1)
Labels
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎04-25-2021 08:07 PM

Hi @the_rains 

Lookups are only used during search-time on search head component, what you are trying to achieve before indexing at HF layer. Try using regex and other method which you can think of.

-----------------------------------------------------

An upvote would be appreciated if it helps!

Reply

the_rains
Engager
‎04-26-2021 01:03 AM

@venkatasri 

Yes correct this is not an index time extraction .

 

This method works using regex, but unable to with a lookuptable.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...