- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search by sourcetype returns no results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm indexing some syslog data from UDP. I'm using a transform on the data to set the sourcetype of data from certain hosts like this:
[vmware_set_sourcetype]
SOURCE_KEY=MetaData:Host
DEST_KEY=MetaData:Sourcetype
REGEX=^host::vmware-\d+.example.com$
FORMAT=vmware_syslog
That works just fine. When I do a search by host, I see the data as expected, and the sourcetype is vmware_syslog. So, for example, this search returns 30,399 results:
host=vmware-* earliest=-10m
This search, however, returns none:
sourcetype=vmware_syslog earliest=-10m
It's strange, because on my search homepage, I can page through the source types, find vmware_syslog, and click on it to do a search, but I still get no results.
I just want to make sure I'm not missing something before I file a support case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I went ahead and filed a support request, and turns out this is a bug after all. The splunk folks gave me this search as a workaround:
index="vmware" | search sourcetype=vmware_syslog earliest=-10m
Edit:
Apparently this isn't a bug and I was doing it wrong. The format should have had sourcetype:: prepended to it. So the transform stanza should have looked like this:
[vmware_set_sourcetype]
SOURCE_KEY=MetaData:Host
DEST_KEY=MetaData:Sourcetype
REGEX=^host::vmware-\d+.example.com$
FORMAT=sourcetype::vmware_syslog
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I went ahead and filed a support request, and turns out this is a bug after all. The splunk folks gave me this search as a workaround:
index="vmware" | search sourcetype=vmware_syslog earliest=-10m
Edit:
Apparently this isn't a bug and I was doing it wrong. The format should have had sourcetype:: prepended to it. So the transform stanza should have looked like this:
[vmware_set_sourcetype]
SOURCE_KEY=MetaData:Host
DEST_KEY=MetaData:Sourcetype
REGEX=^host::vmware-\d+.example.com$
FORMAT=sourcetype::vmware_syslog
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the count for your sourcetype vmware_syslog on the summary page? 0?
Judging by your host=vmware-* search that returns results, your REGEX won't match any of your events. Unless you plan to use some value that will be extracted by the REGEX as a part of your sourcetype, then you should use sourcetype= in props.conf, instead of your stanza in transforms.conf.
PROPS.CONF:
[source:://...mystuff...]
sourcetype=vmware_syslog
P.S. It looks like host:: does not belong in your REGEX -- probably a mixup from the FORMAT clause where that syntax is often used. I would scrap the transforms.conf config and just use props.conf for this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The count for sourcetype vmware_syslog on the summary page is 126,675,534. If it were 0, then I wouldn't have expected any results when I clicked on it 😉
..which also indicates the regex works fine, host:: and all. I got the idea from here:
I'm already using sourcetype= in props.conf to set the sourcetype of most of the data coming into this UDP listener. I need to set data from other servers as a separate sourcetype, but I can't send it to a separate port.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
