Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to split data into separate sourcetypes with transforms

the_rains
Engager
‎04-23-2021 07:18 AM

I am trying to split some data into difference source types using a lookup table. 

I am testing this locally.

I have a source type called A and wish to extract fields to source type B

A snippet of my data is below.

 

4/23/21
11:30:29.000 AM	
23 Fri Apr 23 2021 11:30:29 www1 sshd[4878]: Failed password for invalid user SAMPLE123:ABC11:snmp from 10.0.0.1 port 3118 ssh

    host = 192.168.1.1
    source = /A.log
    sourcetype = A

 

 

props.conf

 

 

[a]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
LOOKUP-alookup = lookuptable snmp_trap AS host OUTPUT host AS host_output
TRANSFORMS-changesourcetype = B

 

 

Transforms.conf 

 

[lookuptable]
batch_index_query = 0
case_sensitive_match = 0
filename = lookuptable.csv
max_matches = 1
min_matches = 1

 

 

 

host	snmp_poll	syslog	snmp_trap
10.0.01	SAMPLE123:ABC11:ipfix	SAMPLE123:ABC11:snmp_trap SAMPLE123:ABC11:syslog

 

 

I have achieved similar in the past using Regex to separate source type but having issues doing this via a lookup table

 

Any help appreciated. 

 

Labels (1)
Labels
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎04-25-2021 08:07 PM

Hi @the_rains 

Lookups are only used during search-time on search head component, what you are trying to achieve before indexing at HF layer. Try using regex and other method which you can think of.

-----------------------------------------------------

An upvote would be appreciated if it helps!

Reply

the_rains
Engager
‎04-26-2021 01:03 AM

@venkatasri 

Yes correct this is not an index time extraction .

 

This method works using regex, but unable to with a lookuptable.

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...
Top