Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

transforms.conf and props.conf

jtran9373
Explorer
‎02-25-2025 11:48 AM

my event and inputs.conf

sourcetype = rsa:syslog


feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info

my props.conf

[rsa:syslog]

TRANSFORMS-change_sourcetype = change_sourcetype

my transforms.conf

[change_sourcetype]

DESK_KEY = MetaData:Sourcetype

SOURCE_KEY = MetaData:Sourcetype

REGEX = \,\s+adudit\.admin

FORMAT = sourcetype::new:sourcetype

 

 

could anyone help?  my sourcetype doesn't change to "new:sourcetype"

 

thank you

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jtran9373
Explorer
‎02-26-2025 08:15 AM

feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info

feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.system.com.cd.etc info

inputs.conf 

sourcetype = rsa:syslog

my props.conf

 

I would like to change sourcetype base "admin", OR "system" depend on raw events.

[rsa:syslog]

TRANSFORMS-change_sourcetype = change_admin_sourcetype, change_system_sourcetype

my transforms.conf

[change_admin_sourcetype]

DESK_KEY = MetaData:Sourcetype

REGEX = \,\s+adudit\.admin

FORMAT = sourcetype::rsa:admin

[change_system_sourcetype]

DESK_KEY = MetaData:Sourcetype

REGEX = \,\s+adudit\.system

FORMAT = sourcetype::rsa:system

 

but it doesnt' work.

thank you for your help.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

livehybrid
Champion
‎02-25-2025 01:12 PM

Hi @jtran9373 

You are using "SOURCE_KEY = MetaData:Sourcetype" to match for the regex string, however your sourcetype is "rsa:syslog" ?

It looks like you might be meaning to use SOURCE_KEY = _raw (which is the default) to match your REGEX string against the sample event you provided.

Try removing the SOURCE_KEY key/value pair from your props.conf and see if that resolves your issue.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Reply
Solved! Jump to solution

jtran9373
Explorer
‎02-26-2025 05:44 AM

"rsa:syslog"  is sourcetype, and I want to change to another sourcetype.
I will try with SOURCE_KEY = _raw.

thank you for your help

 

Reply
Solved! Jump to solution
Solution

jtran9373
Explorer
‎02-26-2025 08:15 AM

feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info

feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.system.com.cd.etc info

inputs.conf 

sourcetype = rsa:syslog

my props.conf

 

I would like to change sourcetype base "admin", OR "system" depend on raw events.

[rsa:syslog]

TRANSFORMS-change_sourcetype = change_admin_sourcetype, change_system_sourcetype

my transforms.conf

[change_admin_sourcetype]

DESK_KEY = MetaData:Sourcetype

REGEX = \,\s+adudit\.admin

FORMAT = sourcetype::rsa:admin

[change_system_sourcetype]

DESK_KEY = MetaData:Sourcetype

REGEX = \,\s+adudit\.system

FORMAT = sourcetype::rsa:system

 

but it doesnt' work.

thank you for your help.

0 Karma
Reply
Solved! Jump to solution

livehybrid
Champion
‎02-26-2025 08:17 AM

Hi @jtran9373 

You have put "adudit" in your regex, not "audit" - is this typo in Splunk too or just on here? This might explain you issue.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Reply
Solved! Jump to solution

jtran9373
Explorer
‎02-27-2025 06:28 AM

issues had been resolved.

I did the props.conf and transforms.conf on the search heads alone, it didn't work.
I also both props.conf and transforms.conf on the heavyforwarder, then it works.

thank you for your helps!!!

0 Karma
Reply
Solved! Jump to solution

jtran9373
Explorer
‎02-26-2025 08:49 AM

sorry, it was my typo here.

in my my transforms.conf is "\,\s+aduit\.admin

thank you for catching that.

0 Karma
Reply
Solved! Jump to solution

jtran9373
Explorer
‎02-26-2025 08:50 AM

feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info

feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.system.com.cd.etc info

inputs.conf 

sourcetype = rsa:syslog

my props.conf

 

I would like to change sourcetype base "admin", OR "system" depend on raw events.

[rsa:syslog]

TRANSFORMS-change_sourcetype = change_admin_sourcetype, change_system_sourcetype

my transforms.conf

[change_admin_sourcetype]

DESK_KEY = MetaData:Sourcetype

REGEX = \,\s+auddit\.admin

FORMAT = sourcetype::rsa:admin

[change_system_sourcetype]

DESK_KEY = MetaData:Sourcetype

REGEX = \,\s+auddit\.system

FORMAT = sourcetype::rsa:system

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top