Getting Data In

Sourcetype Override is not working

ekenne06
Path Finder

the problem i'm currently having:

Software team has logs being written to a file of mixed format and structure. I'm trying to use dynamic sourcetypes so that I can place these into sourcetypes and then do the proper field extractions. I have followed this article: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Bypassautomaticsourcetypeassignment

 

But it doesn't seem to be working. here is my current config:

 

props.conf:

[source::C/Windows/SysWOW64/SIXPAC/SIXPAC/*.log]

TRANSFORMS=SIXPAC = sixpac_service

 

transforms.conf

[sixpac_service]

SOURCE_KEY = MetaData: source

REGEX = SIXPACService\.(.+)\.(.+)\s

FORMAT = sourcetype::SIXPACService.$1.$2

DEST_KEY = MetaData:Sourcetype

 

Anyone have some ideas as to why this isn't working?

 

Labels (4)
0 Karma
1 Solution

ekenne06
Path Finder

i'm not totally sure of the cause, but I was able to get write access to the host (which was sending data via a UF) I set a sourcetype there, and changed my props to reference that sourcetype instead of the source:: I was using before and everything is working now.

 

my assumption for why it wan't working before:

it was a windows host and the source wasn't being recognized properly in the props.conf

splunk was setting a sourcetype/source via learned/local config files and those couldn't be overwritten for some reason

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ekenne06,

three questions:

  • where have you localized your props.conf and transforms.conf? they must be on Indexers or (when present) on Heavy Forwarders;
  • did you restarted Splunk on Indexer (or HF) after you modified props.conf and transforms.conf?
  • did you tested your regex? are you sure that it matches the events to override?

Ciao.

Giuseppe

0 Karma

ekenne06
Path Finder

I have the props.conf and transforms.conf in an app that sits in the master_apps directory on my cluster master. I then distribute to my peers whenever I make a change. Usually if this needs a reboot, the rolling restart will take care of that right? 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ekenne06,

ok,

this means that they are on Indexers and they are rebooted after changes.

Are you sure that the events don't pass through an Heavy Forwarder?

And about the regex?

Ciao.

Giuseppe

0 Karma

ekenne06
Path Finder

i'm not totally sure of the cause, but I was able to get write access to the host (which was sending data via a UF) I set a sourcetype there, and changed my props to reference that sourcetype instead of the source:: I was using before and everything is working now.

 

my assumption for why it wan't working before:

it was a windows host and the source wasn't being recognized properly in the props.conf

splunk was setting a sourcetype/source via learned/local config files and those couldn't be overwritten for some reason

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...