Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Sourcetype Override is not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the problem i'm currently having:
Software team has logs being written to a file of mixed format and structure. I'm trying to use dynamic sourcetypes so that I can place these into sourcetypes and then do the proper field extractions. I have followed this article: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Bypassautomaticsourcetypeassignment
But it doesn't seem to be working. here is my current config:
props.conf:
[source::C/Windows/SysWOW64/SIXPAC/SIXPAC/*.log]
TRANSFORMS=SIXPAC = sixpac_service
transforms.conf
[sixpac_service]
SOURCE_KEY = MetaData: source
REGEX = SIXPACService\.(.+)\.(.+)\s
FORMAT = sourcetype::SIXPACService.$1.$2
DEST_KEY = MetaData:Sourcetype
Anyone have some ideas as to why this isn't working?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i'm not totally sure of the cause, but I was able to get write access to the host (which was sending data via a UF) I set a sourcetype there, and changed my props to reference that sourcetype instead of the source:: I was using before and everything is working now.
my assumption for why it wan't working before:
it was a windows host and the source wasn't being recognized properly in the props.conf
splunk was setting a sourcetype/source via learned/local config files and those couldn't be overwritten for some reason
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ekenne06,
three questions:
- where have you localized your props.conf and transforms.conf? they must be on Indexers or (when present) on Heavy Forwarders;
- did you restarted Splunk on Indexer (or HF) after you modified props.conf and transforms.conf?
- did you tested your regex? are you sure that it matches the events to override?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the props.conf and transforms.conf in an app that sits in the master_apps directory on my cluster master. I then distribute to my peers whenever I make a change. Usually if this needs a reboot, the rolling restart will take care of that right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ekenne06,
ok,
this means that they are on Indexers and they are rebooted after changes.
Are you sure that the events don't pass through an Heavy Forwarder?
And about the regex?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i'm not totally sure of the cause, but I was able to get write access to the host (which was sending data via a UF) I set a sourcetype there, and changed my props to reference that sourcetype instead of the source:: I was using before and everything is working now.
my assumption for why it wan't working before:
it was a windows host and the source wasn't being recognized properly in the props.conf
splunk was setting a sourcetype/source via learned/local config files and those couldn't be overwritten for some reason
Unlock Database Monitoring with Splunk Observability Cloud
Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All
[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk
