Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to split data into separate sourcetypes with transforms

the_rains
Engager
‎04-23-2021 07:18 AM

I am trying to split some data into difference source types using a lookup table. 

I am testing this locally.

I have a source type called A and wish to extract fields to source type B

A snippet of my data is below.

 

4/23/21
11:30:29.000 AM	
23 Fri Apr 23 2021 11:30:29 www1 sshd[4878]: Failed password for invalid user SAMPLE123:ABC11:snmp from 10.0.0.1 port 3118 ssh

    host = 192.168.1.1
    source = /A.log
    sourcetype = A

 

 

props.conf

 

 

[a]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
LOOKUP-alookup = lookuptable snmp_trap AS host OUTPUT host AS host_output
TRANSFORMS-changesourcetype = B

 

 

Transforms.conf 

 

[lookuptable]
batch_index_query = 0
case_sensitive_match = 0
filename = lookuptable.csv
max_matches = 1
min_matches = 1

 

 

 

host	snmp_poll	syslog	snmp_trap
10.0.01	SAMPLE123:ABC11:ipfix	SAMPLE123:ABC11:snmp_trap SAMPLE123:ABC11:syslog

 

 

I have achieved similar in the past using Regex to separate source type but having issues doing this via a lookup table

 

Any help appreciated. 

 

Labels (1)
Labels
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎04-25-2021 08:07 PM

Hi @the_rains 

Lookups are only used during search-time on search head component, what you are trying to achieve before indexing at HF layer. Try using regex and other method which you can think of.

-----------------------------------------------------

An upvote would be appreciated if it helps!

Reply

the_rains
Engager
‎04-26-2021 01:03 AM

@venkatasri 

Yes correct this is not an index time extraction .

 

This method works using regex, but unable to with a lookuptable.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...