Getting Data In

Override source (tcp:xxxx) of a tcp input using transforms

parallaxed
Path Finder

Looks like MetaData:Source should be used, but despite many variations and | extract reload=t, I can't seem to get this to work, even by attempting to force it, as per below

transforms.conf

[net_type]
DEST_KEY = MetaData:Source
REGEX = .*
FORMAT = source::VMSTAT
WRITE_META = true

props.conf 

[net]
SHOULD_LINEMERGE=false
TRANSFORMS-net_type = net_type

^ Firstly, this "forcing" seems like it should be valid - it may not be, please correct me.

I'm looking to apply this depending on the raw text of the event, so my source type isn't fixed and can't be set in inputs.conf.

Is source override possible for only certain types of inputs?

I should add this is Splunk 4.1.x, and that this transformation works if I use MetaData:Sourcetype instead of MetaData:Source. Why would it work with one field but not the other?

0 Karma
1 Solution

Lowell
Super Champion

I believe this should work. Please note that using | extract reload=T will not reload an index-time config like this, you will need to restart splunkd.

I would also suggest the following in transforms.conf:

[net_type]
DEST_KEY = MetaData:Source
REGEX = .
FORMAT = source::VMSTAT

Two changes: (1) You don't need WRITE_META in this case. (2) No need use the more-expensive .*, when a simple . will do the trick.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

I am reasonably sure that on your input stanza, you can just specify:

[tcp:xxxx]
sourcetype = net_type
source = VMSTAT

This won't work on a splunktcp: input, as that comes from a forwarder and the source would have been set on the forwarder, but for scripted, udp, and tcp inputs, you can just override it like this.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

A regex of . or .? seems better to me than .*, although I don't know if PCRE optimizes this out if there is no capture group. I personally use (?=) for a PCRE regex that always matches.

0 Karma

Lowell
Super Champion

I believe this should work. Please note that using | extract reload=T will not reload an index-time config like this, you will need to restart splunkd.

I would also suggest the following in transforms.conf:

[net_type]
DEST_KEY = MetaData:Source
REGEX = .
FORMAT = source::VMSTAT

Two changes: (1) You don't need WRITE_META in this case. (2) No need use the more-expensive .*, when a simple . will do the trick.

parallaxed
Path Finder

Restart was definitively needed, that was clearly hampering the testing.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...