Problem on Changing Syslog Sourcetype

element1314 · ‎08-29-2019

The problem is on changing syslog sourcetype into another one.
I read all splunk answer about it. I am following the instruction that i have been learn from there.
But it is still not success. All new source from udp:514 are still ingest under sourcetype=syslog

What did I do as below:
1. Create a new folder under apps with "splunk" account full access
2. Create a new props.conf and transform.conf under \newapp\local\
3. Props.conf

[syslog]
TRANSFORMS-force_sourcetype_for_newapp = force_sourcetype_for_newapp

Transforms.conf

[force_source_for_newapp]
DEST_KEY = MetaData:Sourcetype
REGEX = newapp
FORMAT = sourcetype::newapp

Any idea what going wrong?

sduff_splunk · ‎08-29-2019

Change REGEX = newapp to REGEX = .

In your example, the sourcetype renaming would only happen to events that contain "newapp". REGEX=. means that it will apply to any events that pass through this transform.

Also, in props, you call it force_sourcetype_for_newapp, and in transforms, you call it force_source_for_newapp. They should be the same.

Overall, your file should look like this.

props.conf

[syslog]
TRANSFORMS-force_sourcetype_for_newapp = force_sourcetype_for_newapp

transforms.conf

[force_sourcetype_for_newapp]
DEST_KEY = MetaData:Sourcetype
REGEX = .
FORMAT = sourcetype::newapp

Have you restarted your Splunk instance after this change?

Problem on Changing Syslog Sourcetype

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!