I have a deployed a scripted input with source=perfmon_script that gets server and workstation data.
in props.conf I have:
[source::perfmon_script] TRANSFORMS-changesourcetype = sourcetype_new
[sourcetype_new] REGEX = . FORMAT = sourcetype::somesrctype DEST_KEY = MetaData::Sourcetype
Sourcetype not changing. What am I doing wrong?
Some more details:
I've deployed the scripted input on one of my heavy forwarders. I've tried this transform on the same heavy forwarder as well as the indexer but fails to change the sourcetype to new one.
Hi @nabeel652 ,
debug the problem:
use a static overriding to understand if the problem is the transformation:
[sourcetype_override] REGEX = . FORMAT = sourcetype::perfmon DEST_KEY = MetaData:Sourcetype
If this transformation runs the problem is in the original transformation itself, if it doesn't run the problem is before.
Obviously you restarted Splunk on the HF that you modified, is it correct?
Hi @nabeel652 ,
You said that the sourcetype isn't overwritten.
This means that the problem isn't in the transformation, but in the flow.
Only one question: the sourcetype performance that you assign to the script in the inputs.conf, is used only in this case or has another use?
in other words, try to modify your configuration in this way (I used performance_test but you can use the one you like):
[script://./bin/serverPerformance.py] disabled=0 sourcetype=performance_test source = perfmon_script interval=30
[performance_test] TRANSFORMS-changesourcetype = sourcetype_override
[sourcetype_override] REGEX = src\=(srv|ws)\_ FORMAT = sourcetype::perfmon:$1 DEST_KEY = MetaData::Sourcetype
in few words, use original sourcetype, instead source for the overriding.
Sourcetype has no other use. I'm in fact trying to create an example to demonstrate sourcetype override. Works fine with monitored inputs but scripted inputs giving problems.
Still no luck. I've used the original sourcetype i. e "performance" but no change at all.
Well, what a silly mistake that I've made
It is MetaData:Sourcetype NOT MetaData::Sourcetype
Fixed it and all good!
Thanks anyway for your time and sorry once again for the small typo that caused big hassle 😄