Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Couldn't set sourcetype on transforms.conf

tdepablo88
Explorer
‎01-07-2021 05:40 AM

Hi,

I'm having an issue with the set of the sourcetype in transforms.conf at the moment of sending the data of a single file to an a index. In first instance the data sends to another index succesfully but with the wrong sourcetype. Here are my conf files:

props.conf:

[snmp-traps_cisco-prime]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = Sourcetype Generico SNMP TRAPS CISCO PRIME
pulldown_type = true
disabled = false
TRANSFORMS-reenvioindexes_cambiostype = aruba

transforms.conf:

[aruba]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = _MetaData:Index
FORMAT = aruba
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype:🇦🇼stm

P.D: im trying to asign a Aruba Networks sourcetype of a snmptrap.

Thanks in advance.

Diego

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-07-2021 12:12 PM

The DEST_KEY value must match what's in the docs (https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Transformsconf#KEYS🙂 *exactly*.

DEST_KEY = MetaData:Sourcetype

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

tdepablo88
Explorer
‎01-07-2021 01:37 PM

I'm very thankful with this help Rich, thanks again.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-07-2021 06:27 AM

One cannot change more than one DEST_KEY in the same transform.  If a single stanza contains the same key more than once, the last setting is used.  In the example, only MetaData:Sourcetype is set.  To set two keys, use two transforms.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tdepablo88
Explorer
‎01-07-2021 10:37 AM

Hi Rich,

i applied the configuration what you mention, but the sourcetype still the same.

Here are my new files:

props.conf

[snmp-traps_cisco-prime]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = Sourcetype Generico SNMP TRAPS CISCO PRIME
pulldown_type = true
disabled = false
TRANSFORMS-reenvioindexes = aruba
TRANSFORMS-cambiosourcetype = aruba_stype

transforms.conf

[aruba]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = _MetaData:Index
FORMAT = aruba

[aruba_stype]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = Metadata:Sourcetype
FORMAT = sourcetype:🇦🇼stm

And when i restart i have the next message.

"Undocumented key used in transforms.conf; stanza='aruba_stype' setting='DEST_KEY' key='Metadata:Sourcetype'
Please resolve these problems by correcting typos in key names, or by adding them to [accepted_keys] in transforms.conf if they are intended."

Thanks again.

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-07-2021 12:12 PM

The DEST_KEY value must match what's in the docs (https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Transformsconf#KEYS🙂 *exactly*.

DEST_KEY = MetaData:Sourcetype

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...