sourcetype override

jackykitkit · ‎09-16-2013

I am new to splunk and i am now going to receive syslog from multiple devices on UDP514, so i cant define a specific sourcetype to UDP:514, right? And I installed the Fortigate apps and edited the /etc/hosts to resolve the IP. I can successfully resolve the IP to hostname "fortigate" and below are my input.conf and props.conf files

input.conf
[udp://514]
connection_host = dns

props.conf
[host::fortigate]
sourcetype = fortigate

It is not working, sourcetype of the data still shown as UDP:514, did i do any wrong?
Thanks for helping

lukejadamec · ‎09-16-2013

The input.conf UDP sets the sourcetype, and source.

This will need to be overridden, and a props.conf by itself is not enough.

See this post: http://answers.splunk.com/answers/34251/udp514-and-source-types

Hope this helps.

jackykitkit · ‎09-18-2013

Thanks for helping, i am now successfully override the sourcetype of fortigate, and my config are:

input.conf
[udp://514]
connection_host = dns
sourcetype = syslog

props.conf
[syslog]
TRANSFORMS-sourcetype_and_host_override = fortigate
SHOULD_LINEMERGE = false

transforms.conf
[fortigate]
DEST_KEY = MetaData:Sourcetype
REGEX = fortigate
FORMAT = sourcetype::fortigate

But how can i override the sourcetype if i have another host come from udp514? thanks

adrianathome · ‎09-16-2013

You can do

[udp://iPaddress:514]
Index=foo
sourcetype=bar

jackykitkit · ‎09-16-2013

yes, the host shown as "fortigate" sourcetype and source are UDP:514

linu1988 · ‎09-16-2013

shouldn't the sourcetype be present in the udp://.. inputs stanza?

lguinn2 · ‎09-16-2013

Does the host of the data show up as fortigate?

sourcetype override

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

sourcetype override

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability