×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
allidoiswinboom
Explorer
Member since: ‎03-06-2024
‎11-24-2025
Community Statistics
Posts 8
Solutions 0
Karma Given 32
Karma Received 0
Member Since ‎03-06-2024
Activity Feed
View All

Re: Sourcetype Override Not Working!

by in All Apps and Add-ons
‎03-25-2024 01:48 PM
‎03-25-2024 01:48 PM
@gcusello  Sorry for the late reply but this helped with the creation of the sourcetype. Thank you for all your help! 🙂  ... View more

Re: Sourcetype Override Not Working!

by in All Apps and Add-ons
‎03-08-2024 07:10 AM
‎03-08-2024 07:10 AM
Hi @gcusello  I have to black out certain information but see below:    Thank you for your help! ... View more

Re: Sourcetype Override Not Working!

by in All Apps and Add-ons
‎03-08-2024 07:02 AM
‎03-08-2024 07:02 AM
Hi @gcusello  Ok great, if that's the case, I just want to match events that start with "acl_policy_name" so I can transform the sourcetype to something else. All the events start with that so I'm not sure what else I need to add to the REGEX?  Thank you! ... View more

Re: Sourcetype Override Not Working!

by in All Apps and Add-ons
‎03-08-2024 06:57 AM
‎03-08-2024 06:57 AM
Hi @gcusello  I ran that search and no results were found. 😞 So is the regex incorrect? I was just trying to match that event referenced above.  Thank you! ... View more

Re: Sourcetype Override Not Working!

by in All Apps and Add-ons
‎03-08-2024 06:40 AM
‎03-08-2024 06:40 AM
Hi @gcusello  No, the 'Splunk_TA_f5-bigip' app is on the DS but not the IDXs/CM. Is that something that ought to be pushed out to the CM/IDX?  We have a local app that is specific to our program with a ruleset for that f5:bigip:syslog but that is just specifying the hosts that route data to that index.  How can I check via the regex what sourcetypes the data has?  Thank you!    ... View more

Re: Sourcetype Override Not Working!

by in All Apps and Add-ons
‎03-07-2024 06:39 AM
‎03-07-2024 06:39 AM
Hello @gcusello  Yes these files are already on the indexers. ... View more

Re: Sourcetype Override Not Working!

by in All Apps and Add-ons
‎03-07-2024 05:36 AM
‎03-07-2024 05:36 AM
Hi @gcusello Thanks for the reply. We are using UFs and I have the confs files on the deployment server and the indexers. We use a CM to manage all the Indexers so I deploy the updated files from the CM to ensure consistent hashing across the files. Thank you!  ... View more

Sourcetype Override Not Working!

by in All Apps and Add-ons
‎03-06-2024 10:50 AM
‎03-06-2024 10:50 AM
Hi All! Hope all is well. I am about to pull my hair out trying to override a sourcetype for a specific set of tcp network events. The event starts with the same string of 'acl_policy_name' and it is currently being labeled with a sourcetype of 'f5:bigip:syslog'. I want to override that sourcetype with a new one labeled 'f5:bigip:afm:syslog' however, even after modifying the props and transforms conf files: still no dice. I used regex101 to ensure that the regex for the 'acl_policy_name' match is correct but I've gone through enough articles and Splunk documentation to no avail. Nothing in the btools outputs for it looks out of place or as though it could be interfering with the settings below. Any thoughts or suggestions would be greatly appreciated before I throw my laptop off a cliff. Thanks in advance! Event Snippet: Inputs.conf [tcp://9515] disabled = false connection_host = ip sourcetype = f5:bigip:syslog index = f5_cs_p_p Props.conf [f5:bigip:syslog] TRANSFORMS-afm_sourcetype = afm-sourcetype *Note I also tried [source::tcp:9515] as a spec instead of the sourcetype but no dice either way. Transforms.conf [afm-sourcetype] REGEX = ^acl_policy_name="$ DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::f5:bigip:afm:syslog WRITE_META = true     ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-24-2025 08:45 AM
Karma given to