Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

props.conf precedence

afaraino
Explorer
‎09-19-2011 02:38 AM

Hi Everyone,

I'm having a little issue related with props.conf precedence. I want to apply a transforms stanza to set a sourcetype, then another stanza to extract the Metadata:Host field for this sourcetype. I tried this in props.conf :

[source::udp:514]
TRANSFORMS-changesourcetype = set_juniper-sa-access
[juniper-sa-access]
TRANSFORMS-changehost = juniper-sa-access_host

...but it's not working. The first transform sets the sourcetype to juniper-sa-access but the second one never applies.

If I change to that, it's working, but it's not the desired behaviour :

[source::udp:514]
TRANSFORMS-changesourcetype = set_juniper-sa-access
TRANSFORMS-changehost = juniper-sa-access_host

Any clue?

Is it about precedence (source > host > sourcetype)? or is it because the sourcetype is set "too late" for matching the second stanza?

Best Regards,

Alexandre Faraino

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-19-2011 07:37 AM

Your easiest solution is to just sourcetype = juniper-sa-access in the inputs.conf where you define the [udp://514] stanza. All data from that input will be marked with that sourcetype.

Reply

afaraino
Explorer
‎11-09-2011 01:11 AM

Actually, I can't : not all logs received on udp:514 are juniper-sa-access. The stanza set_juniper-sa-access contains a regex to check the format.

0 Karma
Reply

afaraino
Explorer
‎09-19-2011 06:34 AM

Found that similar topic :
http://splunk-base.splunk.com/answers/25512/is-my-sourcetype-override-messing-up-my-field-extraction...

The transforms.conf is read only once. So this is a "by design" behavior. I'll try something else.

Alex

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-19-2011 07:37 AM

Your easiest solution is to just sourcetype = juniper-sa-access in the inputs.conf where you define the [udp://514] stanza. All data from that input will be marked with that sourcetype.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...