Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Not able to sourcetype

pmr
Explorer
‎09-27-2010 02:57 AM

I'm unable to force sourcetype from props.conf. Relatively new to splunk, am trying to setup logging of solaris /var/adm/messages. Am extracting ftp from the message and trying to sourcetype it as ftp. what's happening is if i try to set sourcetype to Solaris_Messages under inputs.conf for all /var/adm/messages it works. However if i try to extract "ftp" with props.conf and transforms.conf it sourcetypes it as "Syslog". I'm wondering if some default or learned sourcetypes is being enforced. Below are outputs of each files :

/opt/splunk/etc/apps/SplunkForwarder/local/props.conf :

[source::.../adm/messages]
TRANSFORMS-sourcetype_for_ftpd = sourcetype_for_ftpd

/opt/splunk/etc/apps/SplunkForwarder/local/transforms.conf :

[sourcetype_for_ftpd]
DEST_KEY = MetaData:SourceType
REGEX = ftpd\[\d+\]\:
FORMAT = sourcetype::ftp

when i set props and transforms to the above and restart, all ftp messages are sourcetype'd as Syslog. But when i simply set inputs.conf like below :

/opt/splunk/etc/apps/SplunkForwarder/local/inputs.conf :

[monitor:///var/adm/messages]
sourcetype = Solaris_Messages

all /var/adm/messages are sourcetype'd as Solaris_Messages which is good. I'm wondering why my props and transforms isn't working as expected, i tried using btool and show config but couldn't exactly figure out from which file sourcetype=Syslog is getting applied. This is in a forwarder config on solaris. Basically sourcetype seems to be working under inputs.conf whereas its not for props and transforms.

Any help is greatly appreciated.

thanks pmr

Tags (1)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-27-2010 05:06 AM

In transforms.conf, DEST_KEY is case sensitive and should be MetaData:Sourcetype as specified in transforms.conf.spec.

Reply

pmr
Explorer
‎09-27-2010 03:15 PM

Thanks Stephen.. it works now. what i did was not only correct SourceType to Sourcetype in transforms.conf but also move props and transforms.conf to /etc/system/local directory from /etc/apps/SplunkForwarder/local.

so my new question is should i always have props and transforms under /etc/system/local as supposed to under an App (/etc/apps/app-name/local) for index time transformations ? If we have different applications with its own props and transforms, should we always combine that under /etc/system/local ?

thanks
pmr

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...