×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dstark
Explorer
Member since: ‎09-13-2012
‎06-05-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎09-13-2012
Activity Feed
View All

Re: transforms and props.conf splitting sourcetype...

by in Getting Data In
‎09-02-2016 07:52 AM
1 Karma
‎09-02-2016 07:52 AM
1 Karma
I had to contact Splunk support to apply these configs to my Splunk Cloud indexer. Thank you Nicolo_Figiani and somesoni2 for your help! ... View more

Re: transforms and props.conf splitting sourcetype...

by in Getting Data In
‎09-02-2016 05:35 AM
‎09-02-2016 05:35 AM
I've verified that I should be changing the Splunk Cloud instance with the link above. However, I'm still not seeing results with sourcetype=sqsd . I'm not able to set the DEST_KEY = MetaData:Sourcetype using the GUI, maybe this is the problem? http://imgur.com/a/jFy8B ... View more

Re: transforms and props.conf splitting sourcetype...

by in Getting Data In
‎09-01-2016 10:18 AM
‎09-01-2016 10:18 AM
Ah....I'm using a universal forwarder and Splunk Cloud. I found this link (search "im-struggling-with-how-i-should-be-doing-inputs-and-also-props-transforms-etc-stuff-within-splunk-cloud" as I can't post links) which explains how to modify props and transforms.conf using the GUI in Splunk Cloud. I'll give it a shot and post screenshots if I can get it working. Thanks somesoni2! ... View more

Re: transforms and props.conf splitting sourcetype...

by in Getting Data In
‎09-01-2016 08:39 AM
‎09-01-2016 08:39 AM
As far as I can tell btool is showing exactly what I expect. There's a unique TRANSFORMS for syslog in /etc/system/local and the default TRANFSORMS from /etc/system/default: /opt/splunkforwarder/etc/system/default/props.conf TRANSFORMS = syslog-host /opt/splunkforwarder/etc/system/local/props.conf TRANSFORMS-syslog = set_sqsd_sourcetype ... View more

transforms and props.conf splitting sourcetype not...

by in Getting Data In
‎09-01-2016 06:18 AM
‎09-01-2016 06:18 AM
I'm trying to follow the pattern of matching a string and transforming the event into a new sourcetype. I'm using a sourcetype for syslog defined in inputs.conf; it is being read from logs. /var/log/syslog contains events matching string "sqsd" that I would like to rewrite to a new sqsd sourcetype I've found multiple answers posts about this topic but can't seem to determine why I'm not getting any data as the transformed sourcetype. Originally, I thought the problem was in my REGEX in transforms.conf, but if I set it to .* or remove it completely I still don't get results. inputs.conf [monitor:///var/log/syslog] sourcetype=syslog index = test ignoreOlderThan = 24h props.conf [syslog] TRANSFORMS-syslog = set_sqsd_sourcetype transforms.conf [set_sqsd_sourcetype] REGEX = sqsd DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::sqsd splunkd.log does not show any errors, so I don't think my conf files are invalid. Right now I am seeing all events as sourcetype=syslog. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All
Karma given to
View All