Getting Data In

Renaming sourcetype and source with props and transforms

barak_l_griffis
Engager

We have some VIOS servers that are special-purpose machines that aren't allowed to have a UF installed. I want to hotwire the Splunk_TA_nix scripts to drop their output on an NFS share for Splunk to pick up. Each VIOS server will drop in a different directory under /exports/ and each script will write to a file with it's name (df.sh > df.log)
I want df.log to go to index=os, sourcetype=df, source=df
ps, iostat, vmstat, etc...
This isn't working:

inputs.conf

[monitor:///exports/vio*/*.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os

props.conf

[source:.../df.log]
sourcetype = df
TRANSFORMS-viosdf = viosdf

[source:.../psdf.log]
sourcetype = ps
TRANSFORMS-viosps = viosps

transforms.conf

[viosdf]
DEST_KEY = MetaData:Source
FORMAT = source::df

[viosps]
DEST_KEY = MetaData:Source
FORMAT = source::ps
0 Karma
1 Solution

kristian_kolb
Ultra Champion

Why not do it all in inputs.conf?

[monitor:///exports/vio*/df.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os
sourcetype = df
source = df

[monitor:///exports/vio*/ps.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os
sourcetype = ps
source = ps

/Kristian

View solution in original post

kristian_kolb
Ultra Champion

Why not do it all in inputs.conf?

[monitor:///exports/vio*/df.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os
sourcetype = df
source = df

[monitor:///exports/vio*/ps.log]
disabled = 0
followTail = 0
host =
host_segment = 2
index = os
sourcetype = ps
source = ps

/Kristian

ff9231
Loves-to-Learn

I don't think it works for defining "source" in inputs.conf

If I define host/host_segment then "source" always go to default to show as filename(which is what I don't want).

I am modifying on Universal Forwarder.

If I don't define host/host_segment then "source" name is OK but host goes to default server name...

0 Karma

barak_l_griffis
Engager

Ouch. That's painfully obvious and I missed it.
Thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...