props.conf precedence

afaraino · ‎09-19-2011

Hi Everyone,

I'm having a little issue related with props.conf precedence. I want to apply a transforms stanza to set a sourcetype, then another stanza to extract the Metadata:Host field for this sourcetype. I tried this in props.conf :

[source::udp:514]
TRANSFORMS-changesourcetype = set_juniper-sa-access
[juniper-sa-access]
TRANSFORMS-changehost = juniper-sa-access_host

...but it's not working. The first transform sets the sourcetype to juniper-sa-access but the second one never applies.

If I change to that, it's working, but it's not the desired behaviour :

[source::udp:514]
TRANSFORMS-changesourcetype = set_juniper-sa-access
TRANSFORMS-changehost = juniper-sa-access_host

Any clue?

Is it about precedence (source > host > sourcetype)? or is it because the sourcetype is set "too late" for matching the second stanza?

Best Regards,

Alexandre Faraino

gkanapathy · ‎09-19-2011

Your easiest solution is to just sourcetype = juniper-sa-access in the inputs.conf where you define the [udp://514] stanza. All data from that input will be marked with that sourcetype.

afaraino · ‎11-09-2011

Actually, I can't : not all logs received on udp:514 are juniper-sa-access. The stanza set_juniper-sa-access contains a regex to check the format.

afaraino · ‎09-19-2011

Found that similar topic :
http://splunk-base.splunk.com/answers/25512/is-my-sourcetype-override-messing-up-my-field-extraction...

The transforms.conf is read only once. So this is a "by design" behavior. I'll try something else.

Alex

gkanapathy · ‎09-19-2011

Your easiest solution is to just sourcetype = juniper-sa-access in the inputs.conf where you define the [udp://514] stanza. All data from that input will be marked with that sourcetype.

props.conf precedence

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector