Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Not able to sourcetype

pmr
Explorer
‎09-27-2010 02:57 AM

I'm unable to force sourcetype from props.conf. Relatively new to splunk, am trying to setup logging of solaris /var/adm/messages. Am extracting ftp from the message and trying to sourcetype it as ftp. what's happening is if i try to set sourcetype to Solaris_Messages under inputs.conf for all /var/adm/messages it works. However if i try to extract "ftp" with props.conf and transforms.conf it sourcetypes it as "Syslog". I'm wondering if some default or learned sourcetypes is being enforced. Below are outputs of each files :

/opt/splunk/etc/apps/SplunkForwarder/local/props.conf :

[source::.../adm/messages]
TRANSFORMS-sourcetype_for_ftpd = sourcetype_for_ftpd

/opt/splunk/etc/apps/SplunkForwarder/local/transforms.conf :

[sourcetype_for_ftpd]
DEST_KEY = MetaData:SourceType
REGEX = ftpd\[\d+\]\:
FORMAT = sourcetype::ftp

when i set props and transforms to the above and restart, all ftp messages are sourcetype'd as Syslog. But when i simply set inputs.conf like below :

/opt/splunk/etc/apps/SplunkForwarder/local/inputs.conf :

[monitor:///var/adm/messages]
sourcetype = Solaris_Messages

all /var/adm/messages are sourcetype'd as Solaris_Messages which is good. I'm wondering why my props and transforms isn't working as expected, i tried using btool and show config but couldn't exactly figure out from which file sourcetype=Syslog is getting applied. This is in a forwarder config on solaris. Basically sourcetype seems to be working under inputs.conf whereas its not for props and transforms.

Any help is greatly appreciated.

thanks pmr

Tags (1)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-27-2010 05:06 AM

In transforms.conf, DEST_KEY is case sensitive and should be MetaData:Sourcetype as specified in transforms.conf.spec.

Reply

pmr
Explorer
‎09-27-2010 03:15 PM

Thanks Stephen.. it works now. what i did was not only correct SourceType to Sourcetype in transforms.conf but also move props and transforms.conf to /etc/system/local directory from /etc/apps/SplunkForwarder/local.

so my new question is should i always have props and transforms under /etc/system/local as supposed to under an App (/etc/apps/app-name/local) for index time transformations ? If we have different applications with its own props and transforms, should we always combine that under /etc/system/local ?

thanks
pmr

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...