Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Why does searching absolute sourcetype name re...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
okheggdal
Explorer
05-23-2018
11:55 PM
I have configured props.conf and transforms.conf on a Heavy Forwarder in order to split an existing sourcetype into sub categories. I have utilized what appears to be the general convention for naming layers in sourcetypes ie: a:b:c:d.
Now, the sourcetype I am splitting is a:b which are generating a:b:c and a:b:c:d. Everything is working fine and I am getting the data into the indexes and the formatting is perfect. What is bothering me is that in order to search for the a:b:c and a:b:c:d source I have to use a trailing wilcard. As a:b:c and a:b:c:d each contain quite a bit of data I would like to look at either or.
Its in no way a show-stopper but I would just like to check if I have missed something with regards to the config or if this is just the way it is.
props.conf
[a:b]
TRANSFORMS-changeSourceType = set:a:b:c, set:a:b:c:d
BREAK_ONLY_BEFORE = (%)|(VOIP_CALL_STATISTICS)
transforms.conf
[set:a:b:c]
DEST_KEY = MetaData:Sourcetype
REGEX = (%VOIP)
FORMAT = a:b:c
[set:a:b:c:d]
DEST_KEY = MetaData:Sourcetype
REGEX = (VOIP_CALL_STATISTICS)|(DSP)
FORMAT = a:b:c:d
Edit:
After some further investigations it gets even stranger where I have to include a search word in order for data to displayed in addition to the trailing wildcard:
index=something sourcetype=a:b:c:d* gives no results. index=something sourcetype=a:b:c:d* foo gives results containing foo.
I forgot to mention I am running version 6.5.0.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
christeraustad
Explorer
05-24-2018
04:46 AM
Hi,
You need to prepend sourcetype:: in the FORMAT value.
[set:a:b:c]
DEST_KEY = MetaData:Sourcetype
REGEX = (%VOIP)
FORMAT = sourcetype::a:b:c
[set:a:b:c:d]
DEST_KEY = MetaData:Sourcetype
REGEX = (VOIP_CALL_STATISTICS)|(DSP)
FORMAT = sourcetype::a:b:c:d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
christeraustad
Explorer
05-24-2018
04:46 AM
Hi,
You need to prepend sourcetype:: in the FORMAT value.
[set:a:b:c]
DEST_KEY = MetaData:Sourcetype
REGEX = (%VOIP)
FORMAT = sourcetype::a:b:c
[set:a:b:c:d]
DEST_KEY = MetaData:Sourcetype
REGEX = (VOIP_CALL_STATISTICS)|(DSP)
FORMAT = sourcetype::a:b:c:d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
xpac
SplunkTrust
05-24-2018
02:13 AM
Just to get it right - you don't get data when searching for sourcetype=a:b:c, but it works with sourcetype=a:b:c*?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
okheggdal
Explorer
05-24-2018
02:37 AM
Yes, that is correct. Edit to make a bit more clear. 🙂
Get Updates on the Splunk Community!
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
