Solved: Re: What are the sequence of execution transforms ...

fxyfrank_acn · ‎02-07-2019

Hi,

We want to change sourcetype and then send data to two different Splunk Indexers.

What is happening is the sourcetype is getting changed (that means first props.conf stanza is working) BUT the seconds props.conf stanza present in the apps folder is not working (It is only sending the logs to default output group).

Configuration files for change sourcetypes are located in the /system/local folder and route data configuration files are in the /apps/application/local/ folder.

Does anyone have similar issue? Thanks!

SPLUNK_HOME/etc/system/local/

props.conf

[source::/abc/xyz.log]
TRANSFORMS-changesourcetype = st

transforms.conf

[st]
REGEX = \.*\[12345]\.*
FORMAT = sourcetype::sourcetype1
DEST_KEY = MetaData:Sourcetype

SPLUNK_HOME/etc/apps/application/local

props.conf

[sourcetype1]
TRANSFORMS-routing = route_data

transforms.conf

[route_data]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = indexer1, indexer2

chrisyounger · ‎02-07-2019

The sourcetype is only checked once as the event enters the pipeline. So change your routing to be for [source::/abc/xyz.log] instead

View solution in original post

chrisyounger · ‎02-07-2019

The sourcetype is only checked once as the event enters the pipeline. So change your routing to be for [source::/abc/xyz.log] instead

What are the sequence of execution transforms across different stanza and locations?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!