Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splitting of sourcetype

rahulg
Explorer
‎02-15-2021 09:18 AM

Hello there

I am monitoring files using input.conf and define source source type there

i am trying to split sourcetype in to multiple sourcetype

 

inputs.conf

[monitor:///opt/splunk/etc/apps/out/bin/out/.../*.gz]
disabled=0
index=security_abc_index
sourcetype=abd_s3
source=abd
interval=60

 

this props.conf  here i am doing  parsing 

[abd_s3]
LINE_BREAKER = ""{"
NO_BINARY_CHECK = 1
TRUNCATE = 0
SHOULD_LINEMERGE = false
TRANSFORMS-splitsourcetype = event1,  event2, event3,  event4

 

and TRANSFORMS.conf, event2, 3, 4 are having regex which i want to put in source type , everything else which is not matching to regex to event1

[event1]
DEST_KEY = MetaData:Sourcetype
REGEX = .
FORMAT = sourcetype::event1

[event2]
DEST_KEY = MetaData:Sourcetype
REGEX = \{\"AgentLoadFlags\".*
FORMAT = sourcetype::event2


[event3]
DEST_KEY = MetaData:Sourcetype
REGEX = \{\"GatewayIP\".*
FORMAT = sourcetype::event3


[event4]
DEST_KEY = MetaData:Sourcetype
REGEX= \{\"ComputerName\".*
FORMAT = sourcetype::event4

 

Output in index i am getting in to sourcetype event1  which not macthing to regex

which ever matched to regex not getting monitored not even index, am i doing anything wrong

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2021 11:11 AM

The regex in the [event1] transform matches everything.  That's why everything is in that sourcetype.  Try changing the order in the TRANSFORMS attribute.

TRANSFORMS-splitsourcetype = event2, event3, event4, event1
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2021 11:11 AM

The regex in the [event1] transform matches everything.  That's why everything is in that sourcetype.  Try changing the order in the TRANSFORMS attribute.

TRANSFORMS-splitsourcetype = event2, event3, event4, event1
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rahulg
Explorer
‎02-16-2021 09:14 AM

Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...