Problem on Changing Syslog Sourcetype

element1314 · ‎08-29-2019

The problem is on changing syslog sourcetype into another one.
I read all splunk answer about it. I am following the instruction that i have been learn from there.
But it is still not success. All new source from udp:514 are still ingest under sourcetype=syslog

What did I do as below:
1. Create a new folder under apps with "splunk" account full access
2. Create a new props.conf and transform.conf under \newapp\local\
3. Props.conf

[syslog]
TRANSFORMS-force_sourcetype_for_newapp = force_sourcetype_for_newapp

Transforms.conf

[force_source_for_newapp]
DEST_KEY = MetaData:Sourcetype
REGEX = newapp
FORMAT = sourcetype::newapp

Any idea what going wrong?

sduff_splunk · ‎08-29-2019

Change REGEX = newapp to REGEX = .

In your example, the sourcetype renaming would only happen to events that contain "newapp". REGEX=. means that it will apply to any events that pass through this transform.

Also, in props, you call it force_sourcetype_for_newapp, and in transforms, you call it force_source_for_newapp. They should be the same.

Overall, your file should look like this.

props.conf

[syslog]
TRANSFORMS-force_sourcetype_for_newapp = force_sourcetype_for_newapp

transforms.conf

[force_sourcetype_for_newapp]
DEST_KEY = MetaData:Sourcetype
REGEX = .
FORMAT = sourcetype::newapp

Have you restarted your Splunk instance after this change?

Problem on Changing Syslog Sourcetype

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes