Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Not able to sourcetype

pmr
Explorer
‎09-27-2010 02:57 AM

I'm unable to force sourcetype from props.conf. Relatively new to splunk, am trying to setup logging of solaris /var/adm/messages. Am extracting ftp from the message and trying to sourcetype it as ftp. what's happening is if i try to set sourcetype to Solaris_Messages under inputs.conf for all /var/adm/messages it works. However if i try to extract "ftp" with props.conf and transforms.conf it sourcetypes it as "Syslog". I'm wondering if some default or learned sourcetypes is being enforced. Below are outputs of each files :

/opt/splunk/etc/apps/SplunkForwarder/local/props.conf :

[source::.../adm/messages]
TRANSFORMS-sourcetype_for_ftpd = sourcetype_for_ftpd

/opt/splunk/etc/apps/SplunkForwarder/local/transforms.conf :

[sourcetype_for_ftpd]
DEST_KEY = MetaData:SourceType
REGEX = ftpd\[\d+\]\:
FORMAT = sourcetype::ftp

when i set props and transforms to the above and restart, all ftp messages are sourcetype'd as Syslog. But when i simply set inputs.conf like below :

/opt/splunk/etc/apps/SplunkForwarder/local/inputs.conf :

[monitor:///var/adm/messages]
sourcetype = Solaris_Messages

all /var/adm/messages are sourcetype'd as Solaris_Messages which is good. I'm wondering why my props and transforms isn't working as expected, i tried using btool and show config but couldn't exactly figure out from which file sourcetype=Syslog is getting applied. This is in a forwarder config on solaris. Basically sourcetype seems to be working under inputs.conf whereas its not for props and transforms.

Any help is greatly appreciated.

thanks pmr

Tags (1)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-27-2010 05:06 AM

In transforms.conf, DEST_KEY is case sensitive and should be MetaData:Sourcetype as specified in transforms.conf.spec.

Reply

pmr
Explorer
‎09-27-2010 03:15 PM

Thanks Stephen.. it works now. what i did was not only correct SourceType to Sourcetype in transforms.conf but also move props and transforms.conf to /etc/system/local directory from /etc/apps/SplunkForwarder/local.

so my new question is should i always have props and transforms under /etc/system/local as supposed to under an App (/etc/apps/app-name/local) for index time transformations ? If we have different applications with its own props and transforms, should we always combine that under /etc/system/local ?

thanks
pmr

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...