Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Transform for sourcetype not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transform for sourcetype not working
I have setup a transform to ideally set the hostname and sourcetype for syslog traffic, however I'm encountering problems.
I have the following in the transforms.conf:
[firepass_sourcetyper] REGEX =
(?:192.168.249.106) DEST_KEY =
MetaData:sourcetype FORMAT =
sourcetype::firepass_log[firepass_hostnamer] REGEX =
(?:192.168.249.106) DEST_KEY =
MetaData:host FORMAT =
host::rm.markerstudy.com
And I have the following in my props.conf file:
[source::udp:514]
TRANSFORMS-firepasssoucetype = firepass_sourcetyper
TRANSFORMS-firepasshostname = firepass_hostnamer
I'm not sure if it's possible to do multiple transforms for a single source as I am trying, however for the purpose of testing this I have commented out the second transforms statement.
Can anybody help as to why this isn't working?
Thanks,
Neil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar problem. I am trying get the three IP addresses to use a new sourcetye when they send in data.
Props.conf reads :
[source::udp:514]
TRANSFORMS-riverbed_src = riverbed_steelhead
TRANSFORMS-changesourcetype = sourcetype_cisco_asa
transforms.conf reads :
[riverbed_steelhead]
REGEX = (10.12.0.20:10.0.0.33:10.10.20.185)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead
[sourcetype_cisco_asa]
REGEX = (10.12.254.1:10.10.20.254:10.1.250.254)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::cisco_asa
I get the Error :
Possible typo in stanza [riverbed_steelhead] in transforms.conf. Line 4
Possible typo in stanza [sourcetype_cisco_asa] in transforms.conf. Line 10
Can someone help me find my problem please.
FYI : I also tried the format :
REGEX = (10.\12.0.20|10.0.0.33|10.10.20.185)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both answers were spot on.
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Neil,
You should be able to put all of your transforms on one line...ie.
[source::udp::514]
TRANSFORMS-firepass_stuff = firepass_sourcetyper,firepass_hostnamer
Also keep in mind that the DEST_KEY(s) are case sensitive, so you would need:
[firepass_sourcetyper]
REGEX = (?:192.168.249.106)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::firepass_log
[firepass_hostnamer]
REGEX = (?:192.168.249.106)
DEST_KEY = MetaData:Host
FORMAT = host::rm.markerstudy.com
Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I think you problem is that the MetaData variables are case sensative.
Try:
In props.conf
[source::udp:514]
TRANSFORMS-firepasssoucetype = firepass_sourcetyper
TRANSFORMS-firepasshostname = firepass_hostnamer
In transforms.conf
[firepass_sourcetyper]
REGEX = (?:192.168.249.106)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::firepass_log
[firepass_hostnamer]
REGEX = (?:192.168.249.106)
DEST_KEY = MetaData:Host
FORMAT = host::rm.markerstudy.com
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
