Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are my props/transforms not taking effect?

ajhstn
Explorer
‎09-02-2018 03:10 PM

Hello, i have a single Splunk Enterprise instance with a 9997 listener. I have a single Windows Server with a UF forwarding data to the Splunk Enterprise. This is all good; data is being forwarded as expected.

I am now trying to make a few props.conf changes to the data, but none of my configuration seems to make any difference, when i go look in the Splunk Enterprise search app.

Here in props.conf i a, trying to transform the host, set the timezone to Sydney and set the event time.

[WinEventLog:*]
TRANSFORMS-change_host = WinEventHostOverride
TZ = Australia/Sydney
DATETIME_CONFIG = CURRENT

Here in transforms.conf is my host overide block;

[WinEventHostOverride]
DEST_KEY = MetaData:Host
REGEX = (?m)^ComputerName=([\S]*)
FORMAT = host::$1

On every change i make, i have performed a splunk.exe restart on the UF host. However, nothing appears to change in my index.

Here is a sample from my index.

  • As you can see the Time field is UTC, but i want the time in the actual Event to be the Time.
  • The host field is not transforming to the correct ComputerName field in the event.

alt text

Using Answers from other questions, i used the following search query to "test" the regex and it appears to work, so i am confused why it doesn't work.

index=* | head 1 | eval testdata="ComputerName=ahslc01p" | regex testdata="(?m)^ComputerName=([\S]*)" | stats count
Tags (2)
Preview file
1 KB
0 Karma
Reply

ajhstn
Explorer
‎09-06-2018 01:43 AM

Thanks to both of you. The Wiki article is invaluable, and should be re-incorporated into official documentation.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎09-02-2018 05:26 PM

A two things I can spot:

  • in props.conf you are using a * in the sourcetype name, this is not supported.
  • you restarted the UF after each change - but the props/transforms should be applied on your single Splunk instance

cheers, MuS

Reply

kristian_kolb
Ultra Champion
‎09-06-2018 01:14 AM

Yep, this is a slightly old piece of documentation, but it gives a good understanding of what goes where, in terms of configuration items.

https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

0 Karma
Reply

ajhstn
Explorer
‎09-06-2018 01:45 AM

Thank you, this Wiki was invaluable and should be incorporated back into official documentation.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...