Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Trying to override a syslog UDP sourcetype based o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've read many threads and tried multiple examples on this and am getting nowhere. first some history on the issue:
I have some NAS devices that have the ability to forward their local logs to a syslog server, but I have no control over the UDP port. So all this data is going directly into UDP/514 on the splunk server along with data from a few hundred linux hosts. Now I've been able to set event types for the NAS devices but I cannot extract fields against event types, so what I am trying to do is either:
a) write all the netapp data to a different index or
b) override the sourcetype to have something I can write transforms against
I've seen many examples for both but I haven't successfully gotten any of them to work.
The part of the naming convention I want to key off of is simple enough, I am looking for the word "nas" somewhere in the hostname. I've tried setting the following in props.conf:
[host::nas]
sourcetype = syslog_nas
and I've also tried the following in transforms.conf, both at the etc/system/local level
[nas_set_sourcetype]
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
REGEX = ^host::.nas.
FORMAT = syslog_nas
Can someone please point me in the correct direction? Any help is greatly appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're looking for the host to match anything with nas in the name, you'll have to break out some regex to match that. Something like:
[host:.nas.]
See http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf for information regarding matching these keys in props.
Thanks,
--adam
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're looking for the host to match anything with nas in the name, you'll have to break out some regex to match that. Something like:
[host:.nas.]
See http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf for information regarding matching these keys in props.
Thanks,
--adam
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! Problem was in props.conf in how I was referencing the transform. All is working now!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks jonuwz, I've made the correction but it doesn't seem to have made a difference. 😞 whenever I search for sourcetype=syslog_nas, I'm still getting no results, but if I change it to eventtype=nas, I have hundreds coming in real time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know why but my asterisks are getting lost in the posting it should be but nas in both areas are surrounded by asterisks
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
