Getting Data In

Why is per-event sourcetype override not working with my current props.conf and transforms.conf configuration?

dannestor
Explorer

Hello fellow Splunkers, this is my first post here!

I am trying to configure per-event source type overriding. I have edited the following files:

$SPLUNK_HOME/etc/system/local/transforms.conf:

[windows_logs]
REGEX = AgentDevice=WindowsLog
FORMAT = sourcetype::windows
DEST_KEY = MetaData:SourceType

$SPLUNK_HOME/etc/system/local/props.conf:

[source::tcp:1514]
TRANSFORMS-windows = windows_logs

After editing the files, I restarted Splunk. I am still seeing, however, messages like this:

<13>Oct 21 11:00:17 server.blah.com AgentDevice=WindowsLog  AgentLogFile=Security   PluginVersion=7.2.2.984723  Source=Microsoft-Windows-Security-Auditing  [snip]
source tcp:1514 
sourcetype syslog   

Notice that the event contains the string AgentDevice=WindowsLog, but the sourcetype is not changed. The source type "windows" exists, I created it.

Can you help with this configuration? It could be something really simple, I'm quite new to Splunk. Thanks!

0 Karma
1 Solution

dannestor
Explorer

The problem was a typo in my DEST_KEY field, which is case-sensitive.
Replacing with the following line, everything works.

DEST_KEY = MetaData:Sourcetype

View solution in original post

dannestor
Explorer

The problem was a typo in my DEST_KEY field, which is case-sensitive.
Replacing with the following line, everything works.

DEST_KEY = MetaData:Sourcetype
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...