Splunk Enterprise

props.conf cant figure source

standias
Explorer

Hi,

I have enabled content based routing in my environment; consisting of a lightweight forwarder (A) & a splunk server (B).

I have set REGEX on server side (B) to filter out logs I dont want from a file monitored on A. I want to filter out events that match my REGEX & index them to index sis & drop events that dont match by sending them to nullQueue.

Also I guess since I already mentioned index in transforms.conf I dont need to configure anything in outputs.conf

However i cant seem to figure out what to set as source i.e in props.conf

I have set the receiver on B as 8001. i.e. splunkserver:8001 How do I set this in my props.conf??

props.conf

['what do i set here?']

TRANSFORMS-routing3 = shell,others


transforms.conf

[shell]

REGEX= .*([Ss][Ii])

DEST_KEY=_MetaData:Index

FORMAT= sis

[others]

REGEX=^((?![Ss][Ii])).)*$

DEST_KEY=queue

FORMAT=nullQueue

0 Karma
1 Solution

CarlS
Explorer

The easiest way to do it would be to specify a sourcetype name in inputs.conf on your lightweight forwarder. Just add sourcetype=myshellstuff to the stanza you're using for watching this particular data. Then you can change ['what do i set here?'] to [myshellstuff].

['what do i set here?'] can be lots of stuff though. Check out http://www.splunk.com/base/Documentation/latest/Admin/Propsconf for more info; specifically the section on about []. It's right at the top, and it has a list of all the stuff can be.

View solution in original post

0 Karma

standias
Explorer

For reference :

====inputs.conf on LightWeight Forwarder side:

[monitor://D:\LOGS\Sis102010.txt ] sourcetype= src_Si

====props.conf on Indexer side:

[src_Si]

TRANSFORMS-routing3 = shell,others

====transforms.conf

Same as before

0 Karma

CarlS
Explorer

The easiest way to do it would be to specify a sourcetype name in inputs.conf on your lightweight forwarder. Just add sourcetype=myshellstuff to the stanza you're using for watching this particular data. Then you can change ['what do i set here?'] to [myshellstuff].

['what do i set here?'] can be lots of stuff though. Check out http://www.splunk.com/base/Documentation/latest/Admin/Propsconf for more info; specifically the section on about []. It's right at the top, and it has a list of all the stuff can be.

0 Karma

standias
Explorer

Solved!! Thanks CarlS 🙂

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...