I am dynamically extracting a sourctype using props.conf and tranform.conf file. But the extraction is not working as expected.
The soucetype i am extracting is "eu_test_splunktest_internal_dev" but it seems the splunk is only displaying "eu_test_ "as a sourctype and it's trimming rest of the part.
Is there a splunk offical page which defines any kind of restriction on sourctype name or i can have the mentioned name as a sourctype?
If you want to override a source type, you must configure the setting in props.conf on the forwarder where the input is configured.
To override source type assignment, add a stanza for your source to props.conf . In the stanza, identify the source path, using regular expression (regex) syntax for flexibility if necessary. Then specify the source type by including a sourcetype attribute. For example:
If this helps, your like will be appreciated. 😊
when you say "dynamically extracting a sourctype using props.conf and tranform.conf file", you mean the in the pros.conf stanza title you use the "eu_test_splunktest_internal_dev", is it correct?
I am not aware that there are limits in the length of the sourcetypes, but for safety you could try to add a sourcetype using the web gui [Settings -- Source types -- New Source type] and see if there's a limit.
For my knowledge the only limit is to not use some special chars like *, ", <, >, etc...
Check the props.conf to see if there aren't spaces in the sourcetype stanza's title.
No, i am trying to overide the sourcetype using regex, as available in below documentation.
The source type is override based on the regex which i have written in tranform.conf file.
in my knowledge there isn't any reason to trim the sourcetype in overriding.
Have you the same problem using a sourcetype with the same number of chars but without special chars?
If yes, there's an undocumented limit to the number of chars, so I hint to open a Case to Splunk Support.
If not, check the special chars you're using and see if you avoid to use them.