Getting Data In
Highlighted

configuring sourcetype with props transforms and inputs

New Member

hello everyone,

I know there are many similar posts to this, and i have read a lot but i cant seem to get it to work.

I am trying to manually change the sourcetype. I have a LWF and a indexer. im trying to change my iptables logs sourcetype to "iptables". i've tried several different things. I probably have several things wrong, if someone could point me in the right direction or tell me exactly what to do that would be great. here is some stuff I have at the moment.

on my LWF:

inputs.conf:

[monitor:///var/log/kern.log]
sourcetype = test

[monitor:///var/log/syslog]
sourcetype = test

on my indexer:

props.conf:

[test]

REPORT-iptables = iptables

-also tried TRANSFORMS

transforms.conf:

[iptables]

DEST_KEY = MetaData:sourcetype
REGEX = \bIN\w*\b.*\bTCP\b
FORMAT = sourcetype::sourcetype

all my iptables logs have either INBOUND TCP or INPUT TCP, im trying to use an easy regex, as i havent used it before.

here is an example of a log:

Aug  6 10:50:03 VM2 kernel: [ 9468.989438]  INBOUND TCP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:c0:00:08:08:00 SRC=192.168.232.1 DST=192.168.232.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=UDP SPT=138 DPT=138 LEN=209 

if there is something i didn't post that would be helpful let me know.

Thanks!

Tags (1)
0 Karma
Highlighted

Re: configuring sourcetype with props transforms and inputs

Splunk Employee
Splunk Employee

There are two issues here:

  1. In props.conf, an index time transformation should be TRANSFORMS-iptables = iptables as opposed to REPORT-.
  2. In transforms.conf, the correct DEST_KEY, according to $SPLUNK_HOME/etc/system/README/transforms.conf.spec is MetaData:Sourcetype.
Highlighted

Re: configuring sourcetype with props transforms and inputs

New Member

thanks, its seems to work now!

0 Karma