I have a similar problem. I am trying get the three IP addresses to use a new sourcetye when they send in data.
Props.conf reads :
[source::udp:514]
TRANSFORMS-riverbed_src = riverbed_steelhead
TRANSFORMS-changesourcetype = sourcetype_cisco_asa
transforms.conf reads :
[riverbed_steelhead]
REGEX = (10.12.0.20:10.0.0.33:10.10.20.185)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead
[sourcetype_cisco_asa]
REGEX = (10.12.254.1:10.10.20.254:10.1.250.254)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::cisco_asa
I get the Error :
Possible typo in stanza [riverbed_steelhead] in transforms.conf. Line 4
Possible typo in stanza [sourcetype_cisco_asa] in transforms.conf. Line 10
Can someone help me find my problem please.
FYI : I also tried the format :
REGEX = (10.\12.0.20|10.0.0.33|10.10.20.185)
... View more