I have a verry strange behaviour in props.conf, the following stanza does not work:
[SDCS-liveclone-xxxxxx-st_XmlWinEventLog:Security]
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route1 = SDCS-liveclone-xxxxxx-wes_Filter
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route2 = SDCS-liveclone-xxxxxx-ls_SwitchIndex
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route3 = SDCS-common-xxxxxx-DiscardEvents
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route4 = SDCS-liveclone-xxxxxx-wse_UsernameAnonymizer
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route5 = SDCS-liveclone-xxxxxx-wse_UsernameAnonymizer
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route6 = SDCS-liveclone-xxxxxx-wse_UsernameAnonymizer
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route7 = SDCS-liveclone-xxxxxx-ls_SwitchRoute
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route8 = SDCS-common-xxxxxx-CleanSourceType
it stops processing at the transform TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route7
if an X is added to this rule as follows: (line 8 after SDCS, more to the end e.g. ...SDCS-livecloneX... does not work)
[SDCS-liveclone-xxxxxx-st_XmlWinEventLog:Security]
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route1 = SDCS-liveclone-xxxxxx-wes_Filter
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route2 = SDCS-liveclone-xxxxxx-ls_SwitchIndex
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route3 = SDCS-common-xxxxxx-DiscardEvents
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route4 = SDCS-liveclone-xxxxxx-wse_UsernameAnonymizer
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route5 = SDCS-liveclone-xxxxxx-wse_UsernameAnonymizer
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route6 = SDCS-liveclone-xxxxxx-wse_UsernameAnonymizer
TRANSFORMS-SDCSX-liveclone-xxxxxx-wes-route7 = SDCS-liveclone-xxxxxx-ls_SwitchRoute
TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route8 = SDCS-common-xxxxxx-CleanSourceType
the props get applied
Just as background info
the same key is not used anywhere else
similar keys are used, e.g. the same set but wit -ls- instead of -wes- this works
xxxxxx is a company name, in this case 6 characters
the transforms have to be applied in this order (clone event, change _tcp_routing, change index, discard events whose routing has not been changed, over write usernames which follow to a certain pattern, change routing to the final destination, reset original source type. This is needed to hand over some events to another Splunk plattform, but masking the usernames while doing so.
below are the referenced transforms, the ones named SDCS-common-... are kept in another app
[SDCS-liveclone-xxxxxx-Clone_XmlWinEventLogSecurity]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=nothing
CLONE_SOURCETYPE = SDCS-liveclone-xxxxxx-st_XmlWinEventLog:Security
[SDCS-liveclone-xxxxxx-wes_Filter]
SOURCE_KEY = MetaData:Source
REGEX = WinEventLog:Security
DEST_KEY=_TCP_ROUTING
FORMAT=SDCS-liveclone-xxxxxx-target-route
[SDCS-liveclone-xxxxxx-ls_SwitchIndex]
REGEX = .
DEST_KEY=_MetaData:Index
FORMAT=yyyyyy
WRITE_META = true
[SDCS-common-xxxxxx-DiscardEvents]
SOURCE_KEY = _TCP_ROUTING
REGEX = nothing
DEST_KEY = queue
FORMAT = nullQueue
[SDCS-common-xxxxxx-CleanSourceType]
SOURCE_KEY=MetaData:Sourcetype
REGEX = (?mi)^[^:]*::SDCS-(live|verify)clone-xxxxxx-st_(.*)$
DEST_KEY=MetaData:Sourcetype
FORMAT=sourcetype::$2
WRITE_META = true
[SDCS-liveclone-xxxxxx-wse_UsernameAnonymizer]
REGEX = (?mi)^(.*? __pattern_to_match_username__ (<.*?)$
FORMAT = $1**HiddenSwisscomUser**$2
DEST_KEY = _raw
[SDCS-liveclone-xxxxxx-ls_SwitchRoute]
SOURCE_KEY=_TCP_ROUTING
REGEX = SDCS-liveclone-xxxxxx-target-route
#REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=zzzzzz
... View more