Getting Data In

SourceType using Props.conf and Transforms.conf

rmcdougal
Path Finder

Ok, so here is the deal. I will have quite a few different types of events coming through on UDP 514 and need to sourcetype them differently. I have read enough to find that this is supposed to be possible, however I can't get it to work. Here is what I have so far.

To start with here is a sample event stream.

Jun  7 14:25:25 10.220.5.27 8417003: *Jun  7 14:22:01.037 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.115(137) -> 10.222.71.255(137), 2 packets
Jun  7 14:25:27 10.220.5.27 8417004: *Jun  7 14:22:02.393 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.116(137) -> 10.222.71.255(137), 2 packets
Jun  7 14:25:28 10.220.5.27 8417005: *Jun  7 14:22:03.493 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.52(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:29 10.220.5.27 8417006: *Jun  7 14:22:04.905 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.71(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:31 10.220.5.27 8417007: *Jun  7 14:22:06.445 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.152(137) -> 10.222.71.255(137), 2 packets
Jun  7 14:25:33 10.220.5.27 8417008: *Jun  7 14:22:08.325 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.54(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:34 10.220.5.27 8417009: *Jun  7 14:22:09.393 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.66(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:36 10.220.5.27 8417010: *Jun  7 14:22:12.093 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.49(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:38 10.220.5.27 8417011: *Jun  7 14:22:13.341 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.64(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:39 10.220.5.27 8417012: *Jun  7 14:22:14.693 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.55(5510) -> 255.255.255.255(5510), 1 packet

Now what I would like to do is to use the device IP address (10.220.5.27) as a means to sourcetype this type of event. This is what I have in my props and transforms right now on the indexer

props.conf

[source::UDP:514]
TRANSFORMS-transCisco = transCisco

transforms.conf

[transCisco]
REGEX=10.220.5.27
FORMAT= sourcetype::cisco_syslog
DEST_KEY = MetaData:Sourcetype
Tags (1)
1 Solution

richprescott
Path Finder

Try this stanza instead:


[transCisco]
REGEX=(10\.220\.5\.27)
FORMAT= sourcetype::$1
DEST_KEY = MetaData:Sourcetype

View solution in original post

DrewO
Splunk Employee
Splunk Employee

Your REGEX needs to escape the periods to match an actual period instead of the REGEX special character .

should be REGEX = 10\.220\.5\.27

Otherwise looks good.

richprescott
Path Finder

Try this stanza instead:


[transCisco]
REGEX=(10\.220\.5\.27)
FORMAT= sourcetype::$1
DEST_KEY = MetaData:Sourcetype

rmcdougal
Path Finder

Figured it out. "UDP" was capitalized in props.conf

Should have been like this


[source::udp:514]
TRANSFORMS-changesourcetype = change_to_cisco_syslog

0 Karma

rmcdougal
Path Finder

Thank you for your help!

Unfortunately this is still not working, it is still being put into Splunk as sourcetype UDP:514. Here is my current props and transforms configs

[props.conf]


[source::UDP:514]
TRANSFORMS-changesourcetype = change_to_cisco_syslog

[Tranforms.conf]


[change_to_cisco_syslog]
REGEX = (10\.220\.5\.27)
FORMAT= sourcetype::cisco_syslog
DEST_KEY = MetaData:Sourcetype

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...