I'm trying to follow the pattern of matching a string and transforming the event into a new sourcetype. I'm using a sourcetype for syslog defined in inputs.conf; it is being read from logs.
**/var/log/syslog contains events matching string "sqsd" that I would like to rewrite to a new sqsd sourcetype**
I've found multiple answers posts about this topic but can't seem to determine why I'm not getting any data as the transformed sourcetype. Originally, I thought the problem was in my REGEX in transforms.conf, but if I set it to `.*` or remove it completely I still don't get results.
**inputs.conf**
> [monitor:///var/log/syslog]> sourcetype=syslog> index = test> ignoreOlderThan = 24h
**props.conf**
> [syslog]> TRANSFORMS-syslog = set_sqsd_sourcetype
**transforms.conf**
> [set_sqsd_sourcetype]> REGEX = sqsd> DEST_KEY = MetaData:Sourcetype> FORMAT = sourcetype::sqsd
splunkd.log does not show any errors, so I don't think my conf files are invalid. Right now I am seeing all events as sourcetype=syslog.
↧