the problem i'm currently having:
Software team has logs being written to a file of mixed format and structure. I'm trying to use dynamic sourcetypes so that I can place these into sourcetypes and then do the proper field extractions. I have followed this article: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Bypassautomaticsourcetypeassignment
But it doesn't seem to be working. here is my current config:
props.conf:
[source::C/Windows/SysWOW64/SIXPAC/SIXPAC/*.log]
TRANSFORMS=SIXPAC = sixpac_service
transforms.conf
[sixpac_service]
SOURCE_KEY = MetaData: source
REGEX = SIXPACService\.(.+)\.(.+)\s
FORMAT = sourcetype::SIXPACService.$1.$2
DEST_KEY = MetaData:Sourcetype
Anyone have some ideas as to why this isn't working?
i'm not totally sure of the cause, but I was able to get write access to the host (which was sending data via a UF) I set a sourcetype there, and changed my props to reference that sourcetype instead of the source:: I was using before and everything is working now.
my assumption for why it wan't working before:
it was a windows host and the source wasn't being recognized properly in the props.conf
splunk was setting a sourcetype/source via learned/local config files and those couldn't be overwritten for some reason
Hi @ekenne06,
three questions:
Ciao.
Giuseppe
I have the props.conf and transforms.conf in an app that sits in the master_apps directory on my cluster master. I then distribute to my peers whenever I make a change. Usually if this needs a reboot, the rolling restart will take care of that right?
Hi @ekenne06,
ok,
this means that they are on Indexers and they are rebooted after changes.
Are you sure that the events don't pass through an Heavy Forwarder?
And about the regex?
Ciao.
Giuseppe
i'm not totally sure of the cause, but I was able to get write access to the host (which was sending data via a UF) I set a sourcetype there, and changed my props to reference that sourcetype instead of the source:: I was using before and everything is working now.
my assumption for why it wan't working before:
it was a windows host and the source wasn't being recognized properly in the props.conf
splunk was setting a sourcetype/source via learned/local config files and those couldn't be overwritten for some reason