I'm using a Universal Forwarder and want Splunk to return source_type as what's defined for source within the monitor path(/.../).
Please see my configuration files below.
Inputs.conf
#apache
[monitor:///apps/web/test/sfagent/.../*.log.*]
sourcetype = replace_sourcetype_with_segment_5_from_source
blacklist = \.(zip|gz)$
index = web
Transforms.conf
[replace_sourcetype_with_segment_5_from_source]
SOURCE_KEY = MetaData:Source
REGEX = ^source::(?:/[^/]+){4}/([^/]+)/
FORMAT = sourcetype::replace_sourcetype_with_segment_5_from_source
DEST_KEY = MetaData:Sourcetype
Props.conf
[replace_sourcetype_with_segment_5_from_source]
TRANSFORMS-replaceSourcetype = replace_sourcetype_with_segment_5_from_source
After some digging I discovered I can't use transforms.conf on a Universal Forwarder. Is this absolutely true?
If yes, is there a way to get Splunk to grab the source_type from the metadata and display it within the monitor path without using a heavy forwarder?
... View more