- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- override source field to a common source using tra...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
override source field to a common source using transform.conf and props.conf
Hi
I want to have a common source field for all my syslog. I have centralized syslog server where I am running splunkforwarder to send all remote hosts logs to splunk.
currently source filed is default which is "/var/log/syslog/%year%/%month%/%date%/%host%/syslog"
what I want is "/var/log/syslog" - I want this static for all logs. how to do this with transforms.conf and props.conf
I know I can do it in input.conf by just mentioning source="/var/log/syslog". I tried that and it works but it's breaking host field. I am overriding host field using host_segment in input.conf. so if I put static source there it breaks host_segment and splunk can't parse host.
current configs,
transform.conf
[source]
FORMAT = source::/var/log/syslog
SOURCE_KEY=MetaData:Source
DEST_KEY = MetaData:Source
props.conf
[sourceoverride]
TRANSFORMS-source = source
SHOULD_LINEMERGE = false
input.conf
[monitor:///var/log/rsyslog/////syslog]
disabled = false
followTail=0
host_segment = 7
blacklist = .(gz)$
sourcetype = syslog
source=/var/log/syslog
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your transforms.conf is missing the REGEX part. Even though you don't need it functionally, it is a mandatory setting for indextime transforms.
So just add REGEX = . and then I think it should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just tried this. didn't work. Somehow it seems like splunk is ignoring transforms and props config files. no effect at all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try my suggestion combined with the other answer about using [syslog]?
Because using [sourceoverride] in your props.conf is incorrect. You need to put your actual sourcetype between de square brackets not some
random word.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try props as below:
props.conf
[syslog]
TRANSFORMS-source = source
SHOULD_LINEMERGE = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tried your suggestion, didn't work. no effect.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
