Refine your search:

Tranformations to set different sourcetypes based on fields in an event

0

I am trying to change the sourcetype on the events from a dataset based on certain fields in the dataset that is currently being added using a scripted input. This is what I have currently:

props.conf

[source::testservice] TRANSFORMS-changesourcetype = sourcetype-test1info, sourcetype-test2info

transforms.conf

[sourcetype-test1info] DEST_KEY = MetaData:SourceType REGEX = "field1=(?<fieldvalue>[^ ])" FORMAT = sourcetype::test1info CLEAN_KEYS = 0 MV_ADD = 0 [sourcetype-test2info] DEST_KEY = MetaData:SourceType REGEX = "field2=(?<fieldvalue>[^ ])" FORMAT = sourcetype::test2info CLEAN_KEYS = 0 MV_ADD = 0

The files are currently located in etc/apps/appname/local. I dont see this transformation having any effect. The event would look something like: 2011-06-01 20:41:13 PDT timestamp=1306986073 field1=value1 location=testlocation

Any idea what I may be missing?

asked 02 Jun '11, 08:45

pksudip's gravatar image

pksudip
32
accept rate: 0%

2 Answers:
oldestnewestmost voted
0

I believe that your DEST_KEY value isn't valid....keys are case-sensitive and MetaData:Sourcetype is the correct value, not MetaData:SourceType

From: $SPLUNK_HOME/etc/system/README/transforms.conf.spec

*

KEYS:

*

  • NOTE: Keys are case-sensitive. Use the following keys exactly as they appear.

queue : Specify which queue to send the event to (can be parsingQueue, nullQueue, indexQueue). _raw : The raw text of the event. _done : If set to any string, this represents the last event in a stream. _meta : A space-separated list of metadata for an event. _time : The timestamp of the event, in seconds since 1/1/1970 UTC. MetaData:FinalType : The event type of the event.

MetaData:Host : The host associated with the event. The value must be prefixed by "host::"

_MetaData:Index : The index where the event should be stored.

MetaData:Source : The source associated with the event. The value must be prefixed by "source::"

MetaData:Sourcetype : The sourcetype of the event. The value must be prefixed by "sourcetype::"

link

answered 02 Jun '11, 22:51

cgilbert_splunk's gravatar image

cgilbert_splunk
1162
accept rate: 55%

0

That was the issue, after fixing that I also realized that the regex shouldn't be in double quotes. Thanks for the quick response!!

link

answered 03 Jun '11, 10:30

pksudip's gravatar image

pksudip
32
accept rate: 0%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×141

Asked: 02 Jun '11, 08:45

Seen: 1,201 times

Last updated: 03 Jun '11, 10:30

Related questions

Combining 2 different search results based on fields

Relevance of Ratings Based on Different Weights by ID

subsearch join on delta by even in logs from two different sourcetypes

set host value based on event

how to create sourcetype based on raw field in splunk

Scheduled saved search based on an a specific event in a log

Scheduled saved search based on an a specific event in a log

Event-level filtering based on LDAP query

Copyright © 2005-2012 Splunk Inc. All rights reserved.