Solved: Re: What are the sequence of execution transforms ...

fxyfrank_acn · ‎02-07-2019

Hi,

We want to change sourcetype and then send data to two different Splunk Indexers.

What is happening is the sourcetype is getting changed (that means first props.conf stanza is working) BUT the seconds props.conf stanza present in the apps folder is not working (It is only sending the logs to default output group).

Configuration files for change sourcetypes are located in the /system/local folder and route data configuration files are in the /apps/application/local/ folder.

Does anyone have similar issue? Thanks!

SPLUNK_HOME/etc/system/local/

props.conf

[source::/abc/xyz.log]
TRANSFORMS-changesourcetype = st

transforms.conf

[st]
REGEX = \.*\[12345]\.*
FORMAT = sourcetype::sourcetype1
DEST_KEY = MetaData:Sourcetype

SPLUNK_HOME/etc/apps/application/local

props.conf

[sourcetype1]
TRANSFORMS-routing = route_data

transforms.conf

[route_data]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = indexer1, indexer2

chrisyounger · ‎02-07-2019

The sourcetype is only checked once as the event enters the pipeline. So change your routing to be for [source::/abc/xyz.log] instead

View solution in original post

chrisyounger · ‎02-07-2019

The sourcetype is only checked once as the event enters the pipeline. So change your routing to be for [source::/abc/xyz.log] instead

What are the sequence of execution transforms across different stanza and locations?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation