Hi,
I'm having an issue with the set of the sourcetype in transforms.conf at the moment of sending the data of a single file to an a index. In first instance the data sends to another index succesfully but with the wrong sourcetype. Here are my conf files:
props.conf:
[snmp-traps_cisco-prime]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = Sourcetype Generico SNMP TRAPS CISCO PRIME
pulldown_type = true
disabled = false
TRANSFORMS-reenvioindexes_cambiostype = aruba
transforms.conf:
[aruba]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = _MetaData:Index
FORMAT = aruba
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype:🇦🇼stm
P.D: im trying to asign a Aruba Networks sourcetype of a snmptrap.
Thanks in advance.
Diego
The DEST_KEY value must match what's in the docs (https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Transformsconf#KEYS🙂 *exactly*.
DEST_KEY = MetaData:Sourcetype
I'm very thankful with this help Rich, thanks again.
One cannot change more than one DEST_KEY in the same transform. If a single stanza contains the same key more than once, the last setting is used. In the example, only MetaData:Sourcetype is set. To set two keys, use two transforms.
Hi Rich,
i applied the configuration what you mention, but the sourcetype still the same.
Here are my new files:
props.conf
[snmp-traps_cisco-prime]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = Sourcetype Generico SNMP TRAPS CISCO PRIME
pulldown_type = true
disabled = false
TRANSFORMS-reenvioindexes = aruba
TRANSFORMS-cambiosourcetype = aruba_stype
transforms.conf
[aruba]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = _MetaData:Index
FORMAT = aruba
[aruba_stype]
REGEX = \[UDP\:\s\[115\.100\.9\.100\]
DEST_KEY = Metadata:Sourcetype
FORMAT = sourcetype:🇦🇼stm
And when i restart i have the next message.
"Undocumented key used in transforms.conf; stanza='aruba_stype' setting='DEST_KEY' key='Metadata:Sourcetype'
Please resolve these problems by correcting typos in key names, or by adding them to [accepted_keys] in transforms.conf if they are intended."
Thanks again.
The DEST_KEY value must match what's in the docs (https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Transformsconf#KEYS🙂 *exactly*.
DEST_KEY = MetaData:Sourcetype