Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to split data into separate sourcetypes with transforms

the_rains
Engager
‎04-23-2021 07:18 AM

I am trying to split some data into difference source types using a lookup table. 

I am testing this locally.

I have a source type called A and wish to extract fields to source type B

A snippet of my data is below.

 

4/23/21
11:30:29.000 AM	
23 Fri Apr 23 2021 11:30:29 www1 sshd[4878]: Failed password for invalid user SAMPLE123:ABC11:snmp from 10.0.0.1 port 3118 ssh

    host = 192.168.1.1
    source = /A.log
    sourcetype = A

 

 

props.conf

 

 

[a]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
LOOKUP-alookup = lookuptable snmp_trap AS host OUTPUT host AS host_output
TRANSFORMS-changesourcetype = B

 

 

Transforms.conf 

 

[lookuptable]
batch_index_query = 0
case_sensitive_match = 0
filename = lookuptable.csv
max_matches = 1
min_matches = 1

 

 

 

host	snmp_poll	syslog	snmp_trap
10.0.01	SAMPLE123:ABC11:ipfix	SAMPLE123:ABC11:snmp_trap SAMPLE123:ABC11:syslog

 

 

I have achieved similar in the past using Regex to separate source type but having issues doing this via a lookup table

 

Any help appreciated. 

 

Labels (1)
Labels
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎04-25-2021 08:07 PM

Hi @the_rains 

Lookups are only used during search-time on search head component, what you are trying to achieve before indexing at HF layer. Try using regex and other method which you can think of.

-----------------------------------------------------

An upvote would be appreciated if it helps!

Reply

the_rains
Engager
‎04-26-2021 01:03 AM

@venkatasri 

Yes correct this is not an index time extraction .

 

This method works using regex, but unable to with a lookuptable.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...