Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is source type override based on host not work...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have some switch logs which are configured to Splunk from 3 Universal Forwarders into one index. Based on host values, I renamed the source type by configuring props and transforms. I am able to see new source types in the index, but now the issue is when I search for that particular source type, it is not giving results.
index = index1 ----giving results and able to see sourcetypes in the field values as expected
index = index1 sourcetype = sourcetype1 ----- no results
props.conf
[orig_sourcetype]
TRANSFORMS-rename = index1_host1,index1_host2,index1_host3
transforms.conf
[index1_host1]
REGEX = host1
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype1
WRITE_META = true
[index1_host2]
REGEX = host2
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype2
WRITE_META = true
[index1_host3]
REGEX = host3
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype3
WRITE_META = true
Did I miss any configurations? Could any one please help? Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @siva_cg,
Your configuration is not correct to set sourcetype, look at answer given by me on this question https://answers.splunk.com/answers/686241/metadata-transforms-not-being-applied-after-series-1.html#...
Try to set transforms.conf like this
[index1_host1]
REGEX = host1
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype1
[index1_host2]
REGEX = host2
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype2
[index1_host3]
REGEX = host3
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @siva_cg,
Your configuration is not correct to set sourcetype, look at answer given by me on this question https://answers.splunk.com/answers/686241/metadata-transforms-not-being-applied-after-series-1.html#...
Try to set transforms.conf like this
[index1_host1]
REGEX = host1
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype1
[index1_host2]
REGEX = host2
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype2
[index1_host3]
REGEX = host3
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gorgeous - a bit counterintuitive FORMAT = sourcetype::sourcetype1 as DEST_KEY already species the destination via DEST_KEY = MetaData:Sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @harsmarvania57. It is working now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@siva_cg try updating transforms.conf with WRITE_META = false and restart indexer(s) for new changes to take effect and see if it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I changed the WRITE_META value to false and restarted but still no luck @Rob2520. I am able to see the new sourcetype values in interested fields but not able to search for them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks really clean @siva_cg, I wonder which log file tracks the transforms.conf work...
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
