I'm working on a TA to process Venafi messages brought in via RestAPI. When I was testing I used hostname in the props.conf file to call the transform to change the sourcetype. I can't do that in production because the production Windows servers send logs via the UF. I tried this yesterday in test.
props.conf
[source::Venafi\sTrust\sProtection\sPlatform]
TZ = US/Pacific
TRANSFORMS-venafi = venafi_sourcetype_rename
transforms.conf
[venafi_sourcetype_rename]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::venafi_tpp
REGEX = (.)
According to the Splunk documentation it is a source-matching pattern
3. source::, where is the source, or source-matching
pattern, for an event.
This is what I have to work with
source = Venafi Trust Protection Platform
sourcetype = Venafi TPP Log Event
Any ideas on how I can use source to reset sourcetype?
TIA,
Joe
↧