Issues with props and transforms

Abha11 · ‎08-27-2021

Hi All,

I have just copied across working props and transforms stanza from one HF to another for sqs logs.

however it’s having issues on using this props and transforms since logs are stopping and I am getting a message “start writing events to STDOUT” host=“ “ index=“<index>main</index>” stanza= “ “

I am using that transforms to extract hostname index name , source and sourcetype.

any help appreciated! Thanks

isoutamo · ‎08-27-2021

Have you restart that HF after you have installed those copies to it?

You could use splunk btool props list <sourcetype name> and splunk btool transforms list <transform name> to see that splunk found those correctly. If needed add --debug to see where it takes those into use.

r. Ismo

Abha11 · ‎08-27-2021

Hi @isoutamo

@Thank you so much for your reply to my question.

so I had restarted HF after applying the props and transforms, but no luck. I also checked via btool that props and transforms were found by Splunk correctly, with the debug I could see they were sitting in my splunk add on for aws.

I tried not to use this props and transforms and created and used another sourcetype and I could see my data came in.

however I need to use transforms to set host source and sourcetype based on event data.
samd props and transforms working on another HF I copied it from. Not sure what is going wrong here since on using these splunk starts to write events to STDOUT.

any help appreciated!

Issues with props and transforms

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!