Getting Data In

Why does searching absolute sourcetype name requires a wildcard?

okheggdal
Explorer

I have configured props.conf and transforms.conf on a Heavy Forwarder in order to split an existing sourcetype into sub categories. I have utilized what appears to be the general convention for naming layers in sourcetypes ie: a:b:c:d.

Now, the sourcetype I am splitting is a:b which are generating a:b:c and a:b:c:d. Everything is working fine and I am getting the data into the indexes and the formatting is perfect. What is bothering me is that in order to search for the a:b:c and a:b:c:d source I have to use a trailing wilcard. As a:b:c and a:b:c:d each contain quite a bit of data I would like to look at either or.

Its in no way a show-stopper but I would just like to check if I have missed something with regards to the config or if this is just the way it is.

props.conf

[a:b]
TRANSFORMS-changeSourceType = set:a:b:c, set:a:b:c:d
BREAK_ONLY_BEFORE = (%)|(VOIP_CALL_STATISTICS)

transforms.conf

[set:a:b:c]
DEST_KEY = MetaData:Sourcetype
REGEX = (%VOIP)
FORMAT = a:b:c

[set:a:b:c:d]
DEST_KEY = MetaData:Sourcetype
REGEX = (VOIP_CALL_STATISTICS)|(DSP)
FORMAT = a:b:c:d

Edit:

After some further investigations it gets even stranger where I have to include a search word in order for data to displayed in addition to the trailing wildcard:

index=something sourcetype=a:b:c:d* gives no results. index=something sourcetype=a:b:c:d* foo gives results containing foo.

I forgot to mention I am running version 6.5.0.

0 Karma
1 Solution

christeraustad
Explorer

Hi,

You need to prepend sourcetype:: in the FORMAT value.

[set:a:b:c]
DEST_KEY = MetaData:Sourcetype
REGEX = (%VOIP)
FORMAT = sourcetype::a:b:c

[set:a:b:c:d]
DEST_KEY = MetaData:Sourcetype
REGEX = (VOIP_CALL_STATISTICS)|(DSP)
FORMAT = sourcetype::a:b:c:d

View solution in original post

0 Karma

christeraustad
Explorer

Hi,

You need to prepend sourcetype:: in the FORMAT value.

[set:a:b:c]
DEST_KEY = MetaData:Sourcetype
REGEX = (%VOIP)
FORMAT = sourcetype::a:b:c

[set:a:b:c:d]
DEST_KEY = MetaData:Sourcetype
REGEX = (VOIP_CALL_STATISTICS)|(DSP)
FORMAT = sourcetype::a:b:c:d
0 Karma

xpac
SplunkTrust
SplunkTrust

Just to get it right - you don't get data when searching for sourcetype=a:b:c, but it works with sourcetype=a:b:c*?

0 Karma

okheggdal
Explorer

Yes, that is correct. Edit to make a bit more clear. 🙂

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...