Solved: Props isn't working on overrided sourcetype

ekenne06 · ‎01-29-2021

I followed this article https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Advancedsourcetypeoverrides

basically I took sourcetype ABC and am doing some regex and searching for 123, if I find that in the event I change the sourcetype to ABC:123. Now for this new sourcetype there is some wonky event breaking. Can I then create a new props entry [ABC:123] and perform all my line breaking and time extracting like I would for any normal event? As of right now it doesn't seem to be working. I have:

2021-01-26 00:00:44.2885 [INFO] [NT AUTHORITY\SYSTEM] SIXPACService.SplunkForwarder.SplunkWriter Attempting to Splunk Message from SITA:
<?xml version="1.0" encoding="utf-8"?>
<DCNSMessage>

and with the following props for testing:

[ABC:123]

LINE_BREAKER = SIXPACService.(.*)

and nothing happened when I tried that props. any ideas?

richgalloway · ‎01-29-2021

Splunk doesn't work that way. It will make a single pass through the props.conf settings for the current sourcetype. If the sourcetype changes, the props for the new sourcetype will not be processed.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-29-2021

Splunk doesn't work that way. It will make a single pass through the props.conf settings for the current sourcetype. If the sourcetype changes, the props for the new sourcetype will not be processed.

---
If this reply helps you, Karma would be appreciated.

ekenne06 · ‎01-29-2021

You are correct! I applied my linebreaking to the original sourcetype and it worked like a charm! I appreciate the information.

Props isn't working on overrided sourcetype

indexer

props.conf

transforms.conf

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms