Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why doesn't my Transform sourcetype work?

manuelmosca
New Member
‎03-17-2023 03:12 AM

Hi, I'm tring to change the sourcetype of all data of a specific source

in props.conf

[source::/var/log/messages]
TRANSFORMS-change_sourcetype = syslog_sourcetype_change

in transform.conf

[syslog_sourcetype_change]
SOURCE_KEY = MetaData:Sourcetype
REGEX = .*
FORMAT = sourcetype::syslog:nix
DEST_KEY = MetaData:Sourcetype

I checked the running config via btool and the stanzas are correctly configured on my heavy forwarder but it not works, the logs remain into syslog sourcetype

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-17-2023 09:01 AM

OK, I hope it's only a typo when posting here, because the file should be called transforms.conf, not transform.conf (if you checked with btool, you should have noticed that so I'm assuming that it's only here)

Other than that it looks pretty OK.

0 Karma
Reply

manuelmosca
New Member
‎03-19-2023 10:43 PM

Yes is a typo, I forgot the s...

I'm not understanding why it not works, from splunk documentation and you comment the parameters are rights

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-20-2023 06:54 AM

OK. Then are you sure your files are in the right place? What is your data flow and where these settings are?

0 Karma
Reply

manuelmosca
New Member
‎03-22-2023 05:45 AM

strange but true, now the config works... I've not changed anything

 

Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...