Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sourcetype overriding works but strange

evelenke
Contributor
‎01-24-2018 05:08 AM

Hi Splunkers,

please help with the following issue:
we get logs from Tomcat server in syslog text format (single file), which is added for Monitored File Input.
There are 3 types of events in file: Access, Runtime and system (syslog).
So I have configuretd transforms:

[app-set-sourcetype_access]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::tomcat:access:log
REGEX = (access-log)

[app-set-sourcetype_runtime]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::tomcat:runtime:log
REGEX = (runtime-log)

[app-set-sourcetype_syslog]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::syslog
REGEX = (sshd\[|crond\[|\ssu\:|\skernel\:|crontab\[|anacron\[|CROND\[|Hostd\[|proftpd\[|systemd\[|systemd\:|postfix\/|sudo\[|ntpd\[|su\[|yum\[kernel\[|rsyslogd\[)

and extractions:

[host::myappserver]
TRANSFORMS-change_appSourcetype = app-set-sourcetype_access, app-set-sourcetype_syslog, app-set-sourcetype_runtime

In inputs sourcetype value for this file is:

sourcetype = tomcat:access:log

Then in Splunk I see all sourcetypes presented in a Fields tab for field sourcetype and each event has correct sourcetype mapped in the Events tab.
But when I add sourcetype=tomcat:runtime:log OR syslog to a search query, I receive nothing. Only for 1st (sourcetype=tomcat:access:log) I receive events, but events that should be mapped to syslog.

When I have only 2 sourcetypes for overriding rule everything is shown correctly.
Is it somthing known or should I change something?
Splunk Enterprise 6.6.2

0 Karma
Reply

micahkemp
Champion
‎02-03-2018 06:44 PM

Perhaps your search was all that was wrong. You had this in your question for your search:

sourcetype=tomcat:runtime:log OR syslog

You can't search like field=value OR differentvalue. Instead you would have to do:

sourcetype=tomcat:runtime:log OR sourcetype=syslog
0 Karma
Reply

p_gurav
Champion
‎01-24-2018 05:35 AM

Can you try using sourcetype in props.conf instead of host?

Reply

evelenke
Contributor
‎01-24-2018 09:35 AM

Hm, this works - now I see 2 of 3. But somehow syslog events are all now mapped to tomcat:access:log

Current props.conf

[tomcat:access:log]
TRANSFORMS-change_appSourcetype = app-set-sourcetype_syslog, app-set-sourcetype_runtime
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...