Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: override source field to a common source using...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
override source field to a common source using transform.conf and props.conf
Hi
I want to have a common source field for all my syslog. I have centralized syslog server where I am running splunkforwarder to send all remote hosts logs to splunk.
currently source filed is default which is "/var/log/syslog/%year%/%month%/%date%/%host%/syslog"
what I want is "/var/log/syslog" - I want this static for all logs. how to do this with transforms.conf and props.conf
I know I can do it in input.conf by just mentioning source="/var/log/syslog". I tried that and it works but it's breaking host field. I am overriding host field using host_segment in input.conf. so if I put static source there it breaks host_segment and splunk can't parse host.
current configs,
transform.conf
[source]
FORMAT = source::/var/log/syslog
SOURCE_KEY=MetaData:Source
DEST_KEY = MetaData:Source
props.conf
[sourceoverride]
TRANSFORMS-source = source
SHOULD_LINEMERGE = false
input.conf
[monitor:///var/log/rsyslog/////syslog]
disabled = false
followTail=0
host_segment = 7
blacklist = .(gz)$
sourcetype = syslog
source=/var/log/syslog
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your transforms.conf is missing the REGEX part. Even though you don't need it functionally, it is a mandatory setting for indextime transforms.
So just add REGEX = . and then I think it should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just tried this. didn't work. Somehow it seems like splunk is ignoring transforms and props config files. no effect at all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try my suggestion combined with the other answer about using [syslog]?
Because using [sourceoverride] in your props.conf is incorrect. You need to put your actual sourcetype between de square brackets not some
random word.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try props as below:
props.conf
[syslog]
TRANSFORMS-source = source
SHOULD_LINEMERGE = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tried your suggestion, didn't work. no effect.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
