Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Override source (tcp:xxxx) of a tcp input using transforms

parallaxed
Path Finder
‎08-13-2010 11:56 AM

Looks like MetaData:Source should be used, but despite many variations and | extract reload=t, I can't seem to get this to work, even by attempting to force it, as per below

transforms.conf

[net_type]
DEST_KEY = MetaData:Source
REGEX = .*
FORMAT = source::VMSTAT
WRITE_META = true

props.conf 

[net]
SHOULD_LINEMERGE=false
TRANSFORMS-net_type = net_type

^ Firstly, this "forcing" seems like it should be valid - it may not be, please correct me.

I'm looking to apply this depending on the raw text of the event, so my source type isn't fixed and can't be set in inputs.conf.

Is source override possible for only certain types of inputs?

I should add this is Splunk 4.1.x, and that this transformation works if I use MetaData:Sourcetype instead of MetaData:Source. Why would it work with one field but not the other?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎08-13-2010 02:56 PM

I believe this should work. Please note that using | extract reload=T will not reload an index-time config like this, you will need to restart splunkd.

I would also suggest the following in transforms.conf:

[net_type]
DEST_KEY = MetaData:Source
REGEX = .
FORMAT = source::VMSTAT

Two changes: (1) You don't need WRITE_META in this case. (2) No need use the more-expensive .*, when a simple . will do the trick.

View solution in original post

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-18-2010 04:19 PM

I am reasonably sure that on your input stanza, you can just specify:

[tcp:xxxx]
sourcetype = net_type
source = VMSTAT

This won't work on a splunktcp: input, as that comes from a forwarder and the source would have been set on the forwarder, but for scripted, udp, and tcp inputs, you can just override it like this.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-18-2010 04:23 PM

A regex of . or .? seems better to me than .*, although I don't know if PCRE optimizes this out if there is no capture group. I personally use (?=) for a PCRE regex that always matches.

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎08-13-2010 02:56 PM

I believe this should work. Please note that using | extract reload=T will not reload an index-time config like this, you will need to restart splunkd.

I would also suggest the following in transforms.conf:

[net_type]
DEST_KEY = MetaData:Source
REGEX = .
FORMAT = source::VMSTAT

Two changes: (1) You don't need WRITE_META in this case. (2) No need use the more-expensive .*, when a simple . will do the trick.

Reply
Solved! Jump to solution

parallaxed
Path Finder
‎08-13-2010 03:09 PM

Restart was definitively needed, that was clearly hampering the testing.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...