Splunk Enterprise

Couldn't set sourcetype on transforms.conf

tdepablo88
Explorer

Hi,

I'm having an issue with the set of the sourcetype in transforms.conf at the moment of sending the data of a single file to an a index. In first instance the data sends to another index succesfully but with the wrong sourcetype. Here are my conf files:

props.conf:

[snmp-traps_cisco-prime]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = Sourcetype Generico SNMP TRAPS CISCO PRIME
pulldown_type = true
disabled = false
TRANSFORMS-reenvioindexes_cambiostype = aruba

transforms.conf:

[aruba]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = _MetaData:Index
FORMAT = aruba
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype:🇦🇼stm

P.D: im trying to asign a Aruba Networks sourcetype of a snmptrap.

Thanks in advance.

Diego

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The DEST_KEY value must match what's in the docs (https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Transformsconf#KEYS🙂 *exactly*.

DEST_KEY = MetaData:Sourcetype

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

tdepablo88
Explorer

I'm very thankful with this help Rich, thanks again.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

One cannot change more than one DEST_KEY in the same transform.  If a single stanza contains the same key more than once, the last setting is used.  In the example, only MetaData:Sourcetype is set.  To set two keys, use two transforms.

---
If this reply helps you, Karma would be appreciated.
0 Karma

tdepablo88
Explorer

Hi Rich,

i applied the configuration what you mention, but the sourcetype still the same.

Here are my new files:

props.conf

[snmp-traps_cisco-prime]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = Sourcetype Generico SNMP TRAPS CISCO PRIME
pulldown_type = true
disabled = false
TRANSFORMS-reenvioindexes = aruba
TRANSFORMS-cambiosourcetype = aruba_stype

transforms.conf

[aruba]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = _MetaData:Index
FORMAT = aruba

[aruba_stype]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = Metadata:Sourcetype
FORMAT = sourcetype:🇦🇼stm

And when i restart i have the next message.

"Undocumented key used in transforms.conf; stanza='aruba_stype' setting='DEST_KEY' key='Metadata:Sourcetype'
Please resolve these problems by correcting typos in key names, or by adding them to [accepted_keys] in transforms.conf if they are intended."

Thanks again.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The DEST_KEY value must match what's in the docs (https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Transformsconf#KEYS🙂 *exactly*.

DEST_KEY = MetaData:Sourcetype

 

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...