Splunk Enterprise

Couldn't set sourcetype on transforms.conf

tdepablo88
Explorer

Hi,

I'm having an issue with the set of the sourcetype in transforms.conf at the moment of sending the data of a single file to an a index. In first instance the data sends to another index succesfully but with the wrong sourcetype. Here are my conf files:

props.conf:

[snmp-traps_cisco-prime]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = Sourcetype Generico SNMP TRAPS CISCO PRIME
pulldown_type = true
disabled = false
TRANSFORMS-reenvioindexes_cambiostype = aruba

transforms.conf:

[aruba]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = _MetaData:Index
FORMAT = aruba
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype:🇦🇼stm

P.D: im trying to asign a Aruba Networks sourcetype of a snmptrap.

Thanks in advance.

Diego

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The DEST_KEY value must match what's in the docs (https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Transformsconf#KEYS🙂 *exactly*.

DEST_KEY = MetaData:Sourcetype

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

tdepablo88
Explorer

I'm very thankful with this help Rich, thanks again.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

One cannot change more than one DEST_KEY in the same transform.  If a single stanza contains the same key more than once, the last setting is used.  In the example, only MetaData:Sourcetype is set.  To set two keys, use two transforms.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

tdepablo88
Explorer

Hi Rich,

i applied the configuration what you mention, but the sourcetype still the same.

Here are my new files:

props.conf

[snmp-traps_cisco-prime]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = Sourcetype Generico SNMP TRAPS CISCO PRIME
pulldown_type = true
disabled = false
TRANSFORMS-reenvioindexes = aruba
TRANSFORMS-cambiosourcetype = aruba_stype

transforms.conf

[aruba]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = _MetaData:Index
FORMAT = aruba

[aruba_stype]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = Metadata:Sourcetype
FORMAT = sourcetype:🇦🇼stm

And when i restart i have the next message.

"Undocumented key used in transforms.conf; stanza='aruba_stype' setting='DEST_KEY' key='Metadata:Sourcetype'
Please resolve these problems by correcting typos in key names, or by adding them to [accepted_keys] in transforms.conf if they are intended."

Thanks again.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The DEST_KEY value must match what's in the docs (https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Transformsconf#KEYS🙂 *exactly*.

DEST_KEY = MetaData:Sourcetype

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!