Upgraded Splunk app for VMware to 3.4.0 with VMware v6.5.0...
we are not seeing any sourcetype extractions based on props and transforms in Splunk_TA_vcenter...
Splunk_TA_vcenter is installed on HF(syslog), Indexer and SearchHead(stand alone search head, dedicated for vmware)
vCenter---->HF(syslog)------>Indexer------>SearchHead
#our custom inputs on HF
inputs.conf
[monitor:///var/log/vmware_hosts/vcenter-*.myorg/messages*]
disabled = 0
sourcetype = vclog
host_segment = 4
index = vmware-vclog
#props and transforms are from Splunk_TA_vCenter
props.conf
[vclog]
SHOULD_LINEMERGE = false
TRANSFORMS-vmwvclogsourcetype = set_vclog_sourcetype
transforms.conf
#Sourcetype Extraction
[set_vclog_sourcetype]
REGEX = ^([a-z\-]+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::vmware:vclog:$1
↧