Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

props.conf precedence

afaraino
Explorer
‎09-19-2011 02:38 AM

Hi Everyone,

I'm having a little issue related with props.conf precedence. I want to apply a transforms stanza to set a sourcetype, then another stanza to extract the Metadata:Host field for this sourcetype. I tried this in props.conf :

[source::udp:514]
TRANSFORMS-changesourcetype = set_juniper-sa-access
[juniper-sa-access]
TRANSFORMS-changehost = juniper-sa-access_host

...but it's not working. The first transform sets the sourcetype to juniper-sa-access but the second one never applies.

If I change to that, it's working, but it's not the desired behaviour :

[source::udp:514]
TRANSFORMS-changesourcetype = set_juniper-sa-access
TRANSFORMS-changehost = juniper-sa-access_host

Any clue?

Is it about precedence (source > host > sourcetype)? or is it because the sourcetype is set "too late" for matching the second stanza?

Best Regards,

Alexandre Faraino

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-19-2011 07:37 AM

Your easiest solution is to just sourcetype = juniper-sa-access in the inputs.conf where you define the [udp://514] stanza. All data from that input will be marked with that sourcetype.

Reply

afaraino
Explorer
‎11-09-2011 01:11 AM

Actually, I can't : not all logs received on udp:514 are juniper-sa-access. The stanza set_juniper-sa-access contains a regex to check the format.

0 Karma
Reply

afaraino
Explorer
‎09-19-2011 06:34 AM

Found that similar topic :
http://splunk-base.splunk.com/answers/25512/is-my-sourcetype-override-messing-up-my-field-extraction...

The transforms.conf is read only once. So this is a "by design" behavior. I'll try something else.

Alex

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-19-2011 07:37 AM

Your easiest solution is to just sourcetype = juniper-sa-access in the inputs.conf where you define the [udp://514] stanza. All data from that input will be marked with that sourcetype.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...