Refine your search:

Search by sourcetype returns no results

1

I'm indexing some syslog data from UDP. I'm using a transform on the data to set the sourcetype of data from certain hosts like this:

[vmware_set_sourcetype]
SOURCE_KEY=MetaData:Host
DEST_KEY=MetaData:Sourcetype
REGEX=^host::vmware-\d+.example.com$
FORMAT=vmware_syslog

That works just fine. When I do a search by host, I see the data as expected, and the sourcetype is vmware_syslog. So, for example, this search returns 30,399 results:

host=vmware-* earliest=-10m

This search, however, returns none:

sourcetype=vmware_syslog earliest=-10m

It's strange, because on my search homepage, I can page through the source types, find vmware_syslog, and click on it to do a search, but I still get no results.

I just want to make sure I'm not missing something before I file a support case.

asked 18 Feb '11, 22:29

bmaupin's gravatar image

bmaupin
217
accept rate: 50%

2 Answers:
oldestnewestmost voted
0

I went ahead and filed a support request, and turns out this is a bug after all. The splunk folks gave me this search as a workaround:

index="vmware" | search sourcetype=vmware_syslog earliest=-10m

Edit:
Apparently this isn't a bug and I was doing it wrong. The format should have had sourcetype:: prepended to it. So the transform stanza should have looked like this:

[vmware_set_sourcetype]
SOURCE_KEY=MetaData:Host
DEST_KEY=MetaData:Sourcetype
REGEX=^host::vmware-\d+.example.com$
FORMAT=sourcetype::vmware_syslog
link

answered 11 Mar '11, 16:28

bmaupin's gravatar image

bmaupin
217
accept rate: 50%

edited 15 Mar '11, 15:21

1

What is the count for your sourcetype vmware_syslog on the summary page? 0?

Judging by your host=vmware-* search that returns results, your REGEX won't match any of your events. Unless you plan to use some value that will be extracted by the REGEX as a part of your sourcetype, then you should use sourcetype= in props.conf, instead of your stanza in transforms.conf.

PROPS.CONF:

[source:://...mystuff...]
sourcetype=vmware_syslog

P.S. It looks like host:: does not belong in your REGEX -- probably a mixup from the FORMAT clause where that syntax is often used. I would scrap the transforms.conf config and just use props.conf for this.

link

answered 19 Feb '11, 00:54

Ron%20Naken's gravatar image

Ron Naken
4.1k3427
accept rate: 38%

The count for sourcetype vmware_syslog on the summary page is 126,675,534. If it were 0, then I wouldn't have expected any results when I clicked on it ;)

..which also indicates the regex works fine, host:: and all. I got the idea from here:

http://answers.splunk.com/questions/7125/sending-to-different-index-based-on-host-from-syslog-stream#answer-7127

I'm already using sourcetype= in props.conf to set the sourcetype of most of the data coming into this UDP listener. I need to set data from other servers as a separate sourcetype, but I can't send it to a separate port.

(21 Feb '11, 15:22) bmaupin
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,651
×249

Asked: 18 Feb '11, 22:29

Seen: 1,044 times

Last updated: 15 Mar '11, 15:21

Related questions

Search returned no results.

Limit search results to a sourcetype

Search returns results but no alert

Files in folders indexed but no results showing in search

Union / Intersect results from different source type

Web Intelligence - No Results found with customized sourcetype

|dbinspect returns No results

command line search diff command returns multiple results

Searching and filtering by sourcetype and index

Copyright © 2005-2012 Splunk Inc. All rights reserved.