Splunk Enterprise Security

Problem on Changing Syslog Sourcetype

New Member

The problem is on changing syslog sourcetype into another one.
I read all splunk answer about it. I am following the instruction that i have been learn from there.
But it is still not success. All new source from udp:514 are still ingest under sourcetype=syslog

What did I do as below:
1. Create a new folder under apps with "splunk" account full access
2. Create a new props.conf and transform.conf under \newapp\local\
3. Props.conf

TRANSFORMS-force_sourcetype_for_newapp = force_sourcetype_for_newapp
  1. Transforms.conf

    DEST_KEY = MetaData:Sourcetype
    REGEX = newapp
    FORMAT = sourcetype::newapp

Any idea what going wrong?

0 Karma

Splunk Employee
Splunk Employee

Change REGEX = newapp to REGEX = .

In your example, the sourcetype renaming would only happen to events that contain "newapp". REGEX=. means that it will apply to any events that pass through this transform.

Also, in props, you call it force_sourcetype_for_newapp, and in transforms, you call it force_source_for_newapp. They should be the same.

Overall, your file should look like this.


TRANSFORMS-force_sourcetype_for_newapp = force_sourcetype_for_newapp


DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::newapp

Have you restarted your Splunk instance after this change?

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...