Why doesn't my Transform sourcetype work?

manuelmosca · ‎03-17-2023

Hi, I'm tring to change the sourcetype of all data of a specific source

in props.conf

[source::/var/log/messages]
TRANSFORMS-change_sourcetype = syslog_sourcetype_change

in transform.conf

[syslog_sourcetype_change]
SOURCE_KEY = MetaData:Sourcetype
REGEX = .*
FORMAT = sourcetype::syslog:nix
DEST_KEY = MetaData:Sourcetype

I checked the running config via btool and the stanzas are correctly configured on my heavy forwarder but it not works, the logs remain into syslog sourcetype

Thanks in advance

PickleRick · ‎03-17-2023

OK, I hope it's only a typo when posting here, because the file should be called transforms.conf, not transform.conf (if you checked with btool, you should have noticed that so I'm assuming that it's only here)

Other than that it looks pretty OK.

manuelmosca · ‎03-19-2023

Yes is a typo, I forgot the s...

I'm not understanding why it not works, from splunk documentation and you comment the parameters are rights

PickleRick · ‎03-20-2023

OK. Then are you sure your files are in the right place? What is your data flow and where these settings are?

manuelmosca · ‎03-22-2023

strange but true, now the config works... I've not changed anything

Thanks

Why doesn't my Transform sourcetype work?

heavy forwarder

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation

Why doesn't my Transform sourcetype work?

heavy forwarder

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+