Splunk Enterprise

Couldn't set sourcetype on transforms.conf

tdepablo88
Explorer

Hi,

I'm having an issue with the set of the sourcetype in transforms.conf at the moment of sending the data of a single file to an a index. In first instance the data sends to another index succesfully but with the wrong sourcetype. Here are my conf files:

props.conf:

[snmp-traps_cisco-prime]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = Sourcetype Generico SNMP TRAPS CISCO PRIME
pulldown_type = true
disabled = false
TRANSFORMS-reenvioindexes_cambiostype = aruba

transforms.conf:

[aruba]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = _MetaData:Index
FORMAT = aruba
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype:🇦🇼stm

P.D: im trying to asign a Aruba Networks sourcetype of a snmptrap.

Thanks in advance.

Diego

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The DEST_KEY value must match what's in the docs (https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Transformsconf#KEYS🙂 *exactly*.

DEST_KEY = MetaData:Sourcetype

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

tdepablo88
Explorer

I'm very thankful with this help Rich, thanks again.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

One cannot change more than one DEST_KEY in the same transform.  If a single stanza contains the same key more than once, the last setting is used.  In the example, only MetaData:Sourcetype is set.  To set two keys, use two transforms.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

tdepablo88
Explorer

Hi Rich,

i applied the configuration what you mention, but the sourcetype still the same.

Here are my new files:

props.conf

[snmp-traps_cisco-prime]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = Sourcetype Generico SNMP TRAPS CISCO PRIME
pulldown_type = true
disabled = false
TRANSFORMS-reenvioindexes = aruba
TRANSFORMS-cambiosourcetype = aruba_stype

transforms.conf

[aruba]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = _MetaData:Index
FORMAT = aruba

[aruba_stype]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = Metadata:Sourcetype
FORMAT = sourcetype:🇦🇼stm

And when i restart i have the next message.

"Undocumented key used in transforms.conf; stanza='aruba_stype' setting='DEST_KEY' key='Metadata:Sourcetype'
Please resolve these problems by correcting typos in key names, or by adding them to [accepted_keys] in transforms.conf if they are intended."

Thanks again.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The DEST_KEY value must match what's in the docs (https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Transformsconf#KEYS🙂 *exactly*.

DEST_KEY = MetaData:Sourcetype

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!