I am new to splunk and i am now going to receive syslog from multiple devices on UDP514, so i cant define a specific sourcetype to UDP:514, right? And I installed the Fortigate apps and edited the /etc/hosts to resolve the IP. I can successfully resolve the IP to hostname "fortigate" and below are my input.conf and props.conf files
input.conf
[udp://514]
connection_host = dns
props.conf
[host::fortigate]
sourcetype = fortigate
It is not working, sourcetype of the data still shown as UDP:514, did i do any wrong?
Thanks for helping
The input.conf UDP sets the sourcetype, and source.
This will need to be overridden, and a props.conf by itself is not enough.
See this post: http://answers.splunk.com/answers/34251/udp514-and-source-types
Hope this helps.
Thanks for helping, i am now successfully override the sourcetype of fortigate, and my config are:
input.conf
[udp://514]
connection_host = dns
sourcetype = syslog
props.conf
[syslog]
TRANSFORMS-sourcetype_and_host_override = fortigate
SHOULD_LINEMERGE = false
transforms.conf
[fortigate]
DEST_KEY = MetaData:Sourcetype
REGEX = fortigate
FORMAT = sourcetype::fortigate
But how can i override the sourcetype if i have another host come from udp514? thanks
You can do
[udp://iPaddress:514]
Index=foo
sourcetype=bar
yes, the host shown as "fortigate" sourcetype and source are UDP:514
shouldn't the sourcetype be present in the udp://.. inputs stanza?
Does the host of the data show up as fortigate?