Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- SourceType using Props.conf and Transforms.conf
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rmcdougal
Path Finder
06-07-2012
12:33 PM
Ok, so here is the deal. I will have quite a few different types of events coming through on UDP 514 and need to sourcetype them differently. I have read enough to find that this is supposed to be possible, however I can't get it to work. Here is what I have so far.
To start with here is a sample event stream.
Jun 7 14:25:25 10.220.5.27 8417003: *Jun 7 14:22:01.037 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.115(137) -> 10.222.71.255(137), 2 packets
Jun 7 14:25:27 10.220.5.27 8417004: *Jun 7 14:22:02.393 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.116(137) -> 10.222.71.255(137), 2 packets
Jun 7 14:25:28 10.220.5.27 8417005: *Jun 7 14:22:03.493 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.52(5510) -> 255.255.255.255(5510), 1 packet
Jun 7 14:25:29 10.220.5.27 8417006: *Jun 7 14:22:04.905 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.71(5510) -> 255.255.255.255(5510), 1 packet
Jun 7 14:25:31 10.220.5.27 8417007: *Jun 7 14:22:06.445 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.152(137) -> 10.222.71.255(137), 2 packets
Jun 7 14:25:33 10.220.5.27 8417008: *Jun 7 14:22:08.325 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.54(5510) -> 255.255.255.255(5510), 1 packet
Jun 7 14:25:34 10.220.5.27 8417009: *Jun 7 14:22:09.393 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.66(5510) -> 255.255.255.255(5510), 1 packet
Jun 7 14:25:36 10.220.5.27 8417010: *Jun 7 14:22:12.093 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.49(5510) -> 255.255.255.255(5510), 1 packet
Jun 7 14:25:38 10.220.5.27 8417011: *Jun 7 14:22:13.341 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.64(5510) -> 255.255.255.255(5510), 1 packet
Jun 7 14:25:39 10.220.5.27 8417012: *Jun 7 14:22:14.693 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.55(5510) -> 255.255.255.255(5510), 1 packet
Now what I would like to do is to use the device IP address (10.220.5.27) as a means to sourcetype this type of event. This is what I have in my props and transforms right now on the indexer
props.conf
[source::UDP:514]
TRANSFORMS-transCisco = transCisco
transforms.conf
[transCisco]
REGEX=10.220.5.27
FORMAT= sourcetype::cisco_syslog
DEST_KEY = MetaData:Sourcetype
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richprescott
Path Finder
06-07-2012
01:22 PM
Try this stanza instead:
[transCisco]
REGEX=(10\.220\.5\.27)
FORMAT= sourcetype::$1
DEST_KEY = MetaData:Sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DrewO
Splunk Employee
06-07-2012
02:31 PM
Your REGEX needs to escape the periods to match an actual period instead of the REGEX special character .
should be REGEX = 10\.220\.5\.27
Otherwise looks good.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richprescott
Path Finder
06-07-2012
01:22 PM
Try this stanza instead:
[transCisco]
REGEX=(10\.220\.5\.27)
FORMAT= sourcetype::$1
DEST_KEY = MetaData:Sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rmcdougal
Path Finder
06-13-2012
05:54 AM
Figured it out. "UDP" was capitalized in props.conf
Should have been like this
[source::udp:514]
TRANSFORMS-changesourcetype = change_to_cisco_syslog
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rmcdougal
Path Finder
06-12-2012
01:49 PM
Thank you for your help!
Unfortunately this is still not working, it is still being put into Splunk as sourcetype UDP:514. Here is my current props and transforms configs
[props.conf]
[source::UDP:514]
TRANSFORMS-changesourcetype = change_to_cisco_syslog
[Tranforms.conf]
[change_to_cisco_syslog]
REGEX = (10\.220\.5\.27)
FORMAT= sourcetype::cisco_syslog
DEST_KEY = MetaData:Sourcetype
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
