Splunk Search

transforms.conf and props.conf

jtran9373
Explorer

my event and inputs.conf

sourcetype = rsa:syslog


feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info

my props.conf

[rsa:syslog]

TRANSFORMS-change_sourcetype = change_sourcetype

my transforms.conf

[change_sourcetype]

DESK_KEY = MetaData:Sourcetype

SOURCE_KEY = MetaData:Sourcetype

REGEX = \,\s+adudit\.admin

FORMAT = sourcetype::new:sourcetype

 

 

could anyone help?  my sourcetype doesn't change to "new:sourcetype"

 

thank you

Labels (1)
Tags (1)
0 Karma
1 Solution

jtran9373
Explorer

feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info

feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.system.com.cd.etc info

inputs.conf 

sourcetype = rsa:syslog

my props.conf

 

I would like to change sourcetype base "admin", OR "system" depend on raw events.

[rsa:syslog]

TRANSFORMS-change_sourcetype = change_admin_sourcetype, change_system_sourcetype

my transforms.conf

[change_admin_sourcetype]

DESK_KEY = MetaData:Sourcetype

REGEX = \,\s+adudit\.admin

FORMAT = sourcetype::rsa:admin

[change_system_sourcetype]

DESK_KEY = MetaData:Sourcetype

REGEX = \,\s+adudit\.system

FORMAT = sourcetype::rsa:system

 

but it doesnt' work.

thank you for your help.

View solution in original post

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @jtran9373 

You are using "SOURCE_KEY = MetaData:Sourcetype" to match for the regex string, however your sourcetype is "rsa:syslog" ?

It looks like you might be meaning to use SOURCE_KEY = _raw (which is the default) to match your REGEX string against the sample event you provided.

Try removing the SOURCE_KEY key/value pair from your props.conf and see if that resolves your issue.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma

jtran9373
Explorer

"rsa:syslog"  is sourcetype, and I want to change to another sourcetype.
I will try with SOURCE_KEY = _raw.

thank you for your help

 

jtran9373
Explorer

feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info

feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.system.com.cd.etc info

inputs.conf 

sourcetype = rsa:syslog

my props.conf

 

I would like to change sourcetype base "admin", OR "system" depend on raw events.

[rsa:syslog]

TRANSFORMS-change_sourcetype = change_admin_sourcetype, change_system_sourcetype

my transforms.conf

[change_admin_sourcetype]

DESK_KEY = MetaData:Sourcetype

REGEX = \,\s+adudit\.admin

FORMAT = sourcetype::rsa:admin

[change_system_sourcetype]

DESK_KEY = MetaData:Sourcetype

REGEX = \,\s+adudit\.system

FORMAT = sourcetype::rsa:system

 

but it doesnt' work.

thank you for your help.

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @jtran9373 

You have put "adudit" in your regex, not "audit" - is this typo in Splunk too or just on here? This might explain you issue.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma

jtran9373
Explorer

issues had been resolved.

I did the props.conf and transforms.conf on the search heads alone, it didn't work.
I also both props.conf and transforms.conf on the heavyforwarder, then it works.

thank you for your helps!!!

0 Karma

jtran9373
Explorer

sorry, it was my typo here.

in my my transforms.conf is "\,\s+aduit\.admin

thank you for catching that.

0 Karma

jtran9373
Explorer

feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info

feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.system.com.cd.etc info

inputs.conf 

sourcetype = rsa:syslog

my props.conf

 

I would like to change sourcetype base "admin", OR "system" depend on raw events.

[rsa:syslog]

TRANSFORMS-change_sourcetype = change_admin_sourcetype, change_system_sourcetype

my transforms.conf

[change_admin_sourcetype]

DESK_KEY = MetaData:Sourcetype

REGEX = \,\s+auddit\.admin

FORMAT = sourcetype::rsa:admin

[change_system_sourcetype]

DESK_KEY = MetaData:Sourcetype

REGEX = \,\s+auddit\.system

FORMAT = sourcetype::rsa:system

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...