Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is per-event sourcetype override not working with my current props.conf and transforms.conf configuration?

dannestor
Explorer
‎10-21-2015 02:04 AM

Hello fellow Splunkers, this is my first post here!

I am trying to configure per-event source type overriding. I have edited the following files:

$SPLUNK_HOME/etc/system/local/transforms.conf:

[windows_logs]
REGEX = AgentDevice=WindowsLog
FORMAT = sourcetype::windows
DEST_KEY = MetaData:SourceType

$SPLUNK_HOME/etc/system/local/props.conf:

[source::tcp:1514]
TRANSFORMS-windows = windows_logs

After editing the files, I restarted Splunk. I am still seeing, however, messages like this:

<13>Oct 21 11:00:17 server.blah.com AgentDevice=WindowsLog  AgentLogFile=Security   PluginVersion=7.2.2.984723  Source=Microsoft-Windows-Security-Auditing  [snip]
source tcp:1514 
sourcetype syslog

Notice that the event contains the string AgentDevice=WindowsLog, but the sourcetype is not changed. The source type "windows" exists, I created it.

Can you help with this configuration? It could be something really simple, I'm quite new to Splunk. Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dannestor
Explorer
‎10-21-2015 04:30 AM

The problem was a typo in my DEST_KEY field, which is case-sensitive.
Replacing with the following line, everything works.

DEST_KEY = MetaData:Sourcetype

View solution in original post

Reply
Solved! Jump to solution
Solution

dannestor
Explorer
‎10-21-2015 04:30 AM

The problem was a typo in my DEST_KEY field, which is case-sensitive.
Replacing with the following line, everything works.

DEST_KEY = MetaData:Sourcetype
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...