Solved: Re: What are the sequence of execution transforms ...

fxyfrank_acn · ‎02-07-2019

Hi,

We want to change sourcetype and then send data to two different Splunk Indexers.

What is happening is the sourcetype is getting changed (that means first props.conf stanza is working) BUT the seconds props.conf stanza present in the apps folder is not working (It is only sending the logs to default output group).

Configuration files for change sourcetypes are located in the /system/local folder and route data configuration files are in the /apps/application/local/ folder.

Does anyone have similar issue? Thanks!

SPLUNK_HOME/etc/system/local/

props.conf

[source::/abc/xyz.log]
TRANSFORMS-changesourcetype = st

transforms.conf

[st]
REGEX = \.*\[12345]\.*
FORMAT = sourcetype::sourcetype1
DEST_KEY = MetaData:Sourcetype

SPLUNK_HOME/etc/apps/application/local

props.conf

[sourcetype1]
TRANSFORMS-routing = route_data

transforms.conf

[route_data]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = indexer1, indexer2

chrisyounger · ‎02-07-2019

The sourcetype is only checked once as the event enters the pipeline. So change your routing to be for [source::/abc/xyz.log] instead

View solution in original post

chrisyounger · ‎02-07-2019

The sourcetype is only checked once as the event enters the pipeline. So change your routing to be for [source::/abc/xyz.log] instead

What are the sequence of execution transforms across different stanza and locations?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7