Solved: Props isn't working on overrided sourcetype

ekenne06 · ‎01-29-2021

I followed this article https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Advancedsourcetypeoverrides

basically I took sourcetype ABC and am doing some regex and searching for 123, if I find that in the event I change the sourcetype to ABC:123. Now for this new sourcetype there is some wonky event breaking. Can I then create a new props entry [ABC:123] and perform all my line breaking and time extracting like I would for any normal event? As of right now it doesn't seem to be working. I have:

2021-01-26 00:00:44.2885 [INFO] [NT AUTHORITY\SYSTEM] SIXPACService.SplunkForwarder.SplunkWriter Attempting to Splunk Message from SITA:
<?xml version="1.0" encoding="utf-8"?>
<DCNSMessage>

and with the following props for testing:

[ABC:123]

LINE_BREAKER = SIXPACService.(.*)

and nothing happened when I tried that props. any ideas?

richgalloway · ‎01-29-2021

Splunk doesn't work that way. It will make a single pass through the props.conf settings for the current sourcetype. If the sourcetype changes, the props for the new sourcetype will not be processed.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-29-2021

Splunk doesn't work that way. It will make a single pass through the props.conf settings for the current sourcetype. If the sourcetype changes, the props for the new sourcetype will not be processed.

---
If this reply helps you, Karma would be appreciated.

ekenne06 · ‎01-29-2021

You are correct! I applied my linebreaking to the original sourcetype and it worked like a charm! I appreciate the information.

Props isn't working on overrided sourcetype

indexer

props.conf

transforms.conf

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!