Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

override source field to a common source using transform.conf and props.conf

meet_vadaria
Engager
‎12-06-2018 05:31 PM

Hi

I want to have a common source field for all my syslog. I have centralized syslog server where I am running splunkforwarder to send all remote hosts logs to splunk.

currently source filed is default which is "/var/log/syslog/%year%/%month%/%date%/%host%/syslog"
what I want is "/var/log/syslog" - I want this static for all logs. how to do this with transforms.conf and props.conf

I know I can do it in input.conf by just mentioning source="/var/log/syslog". I tried that and it works but it's breaking host field. I am overriding host field using host_segment in input.conf. so if I put static source there it breaks host_segment and splunk can't parse host.

current configs,

transform.conf
[source]
FORMAT = source::/var/log/syslog
SOURCE_KEY=MetaData:Source
DEST_KEY = MetaData:Source

props.conf
[sourceoverride]
TRANSFORMS-source = source
SHOULD_LINEMERGE = false

input.conf
[monitor:///var/log/rsyslog/////syslog]
disabled = false
followTail=0
host_segment = 7
blacklist = .(gz)$
sourcetype = syslog

source=/var/log/syslog

0 Karma
Reply

FrankVl
Ultra Champion
‎12-07-2018 02:21 AM

Your transforms.conf is missing the REGEX part. Even though you don't need it functionally, it is a mandatory setting for indextime transforms.

So just add REGEX = . and then I think it should work.

0 Karma
Reply

meet_vadaria
Engager
‎12-07-2018 09:48 AM

Just tried this. didn't work. Somehow it seems like splunk is ignoring transforms and props config files. no effect at all.

0 Karma
Reply

FrankVl
Ultra Champion
‎12-07-2018 01:37 PM

Did you try my suggestion combined with the other answer about using [syslog]?

Because using [sourceoverride] in your props.conf is incorrect. You need to put your actual sourcetype between de square brackets not some
random word.

0 Karma
Reply

p_gurav
Champion
‎12-06-2018 10:27 PM

Can you try props as below:

props.conf
[syslog]
TRANSFORMS-source = source
SHOULD_LINEMERGE = false
0 Karma
Reply

meet_vadaria
Engager
‎12-06-2018 10:38 PM

tried your suggestion, didn't work. no effect.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...