Solved: change sourcetype for sourcetype not starting with...

ss026381 · ‎10-23-2019

I want to change the sourcetype for all incoming logs with sourcetypes not starting with abc. I have following setting but it would change it for all the sourcetypes

  #Transforms.conf on indexer

  [noncerner:setnull]
  SOURCE_KEY = MetaData:Sourcetype
  REGEX = (?::){0}^(?!ABC).*
  #REGEX = ^(?!ABC).* tried it
  #REGEX = sourcetype::^(?!ABC).* tried it
  #REGEX = sourcetype::(?::)^(?!ABC).* tried it
  DEST_KEY = MetaData:Sourcetype
  FORMAT = sourcetype::ABC:temp:logs

Any hep is appreciated.

tiagofbmm · ‎10-24-2019

This is the syntax for what you want to do. Let me know

[noncerner:setnull]
FORMAT = sourcetype::ABC:temp:logs
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY = MetaData:Sourcetype
REGEX = sourcetype::(((?!abc)).*)

View solution in original post

tiagofbmm · ‎10-24-2019

This is the syntax for what you want to do. Let me know

[noncerner:setnull]
FORMAT = sourcetype::ABC:temp:logs
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY = MetaData:Sourcetype
REGEX = sourcetype::(((?!abc)).*)

ss026381 · ‎10-24-2019

Very big thumps up, it worked, thanks. I am testing few more scenarios and will comment later today.

tiagofbmm · ‎10-23-2019

^((?!abc).)*

This regex shall negate the string exists.

ss026381 · ‎10-24-2019

there is no problem with the regex. it works when I put it in regex101. I think the problem is that we cannot use regex with sourcetype.

change sourcetype for sourcetype not starting with specific word

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control