Getting Data In

Override source (tcp:xxxx) of a tcp input using transforms

parallaxed
Path Finder

Looks like MetaData:Source should be used, but despite many variations and | extract reload=t, I can't seem to get this to work, even by attempting to force it, as per below

transforms.conf

[net_type]
DEST_KEY = MetaData:Source
REGEX = .*
FORMAT = source::VMSTAT
WRITE_META = true

props.conf 

[net]
SHOULD_LINEMERGE=false
TRANSFORMS-net_type = net_type

^ Firstly, this "forcing" seems like it should be valid - it may not be, please correct me.

I'm looking to apply this depending on the raw text of the event, so my source type isn't fixed and can't be set in inputs.conf.

Is source override possible for only certain types of inputs?

I should add this is Splunk 4.1.x, and that this transformation works if I use MetaData:Sourcetype instead of MetaData:Source. Why would it work with one field but not the other?

0 Karma
1 Solution

Lowell
Super Champion

I believe this should work. Please note that using | extract reload=T will not reload an index-time config like this, you will need to restart splunkd.

I would also suggest the following in transforms.conf:

[net_type]
DEST_KEY = MetaData:Source
REGEX = .
FORMAT = source::VMSTAT

Two changes: (1) You don't need WRITE_META in this case. (2) No need use the more-expensive .*, when a simple . will do the trick.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

I am reasonably sure that on your input stanza, you can just specify:

[tcp:xxxx]
sourcetype = net_type
source = VMSTAT

This won't work on a splunktcp: input, as that comes from a forwarder and the source would have been set on the forwarder, but for scripted, udp, and tcp inputs, you can just override it like this.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

A regex of . or .? seems better to me than .*, although I don't know if PCRE optimizes this out if there is no capture group. I personally use (?=) for a PCRE regex that always matches.

0 Karma

Lowell
Super Champion

I believe this should work. Please note that using | extract reload=T will not reload an index-time config like this, you will need to restart splunkd.

I would also suggest the following in transforms.conf:

[net_type]
DEST_KEY = MetaData:Source
REGEX = .
FORMAT = source::VMSTAT

Two changes: (1) You don't need WRITE_META in this case. (2) No need use the more-expensive .*, when a simple . will do the trick.

parallaxed
Path Finder

Restart was definitively needed, that was clearly hampering the testing.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...