When placing my props and transforms on my production system, I am not getting expected results. It should be taking sourcetype webseal:syslog, which is ingested from /var/log/messages, and setting a new timestamp, host, and sourcetype. The timestamps are all different. The app is placed on our Heavy Forwarder (I know) in our Dev and production system. It works perfectly in Dev, but nothing in production.
Let's start with my props.conf, because I haven't confirmed any issue with transforms, and I know TIME_PREFIX isn't working:
[webseal:syslog]
TIME_PREFIX = ^\w{3}\s+\d+\s\d+\:\d{2}\:\d{2}\s\S+\s\S+\s
SHOULD_LINEMERGE = False
TRANSFORMS-host = webseal-host
TRANSFORMS-sourcetype = webseal-null, request-ST, isam-ST, lavender-ST, pdweb-ST
Here's what I've checked:
- Btool on the HFs shows it is reading props and transforms
- GUI on HFs shows it is reading props
- I checked all my regex statements within splunk search and on regex101. all correct.
- tried putting props and transforms statements within a different parsing app that is working. no luck.
- tried putting props and transforms within system/local on HF. no luck.
- tried putting app on indexers instead. no luck.
- tried switching sourcetype name on inputs and props. no luck.
- tried switching props stanza to [source::/var/log/messages]. no luck.
- tried removing the app and setting only TIME_PREFIX through the gui on HF. no luck.
And yes, I restarted splunkd in between all my tests. I've run out of ideas, and don't have any options other than ingesting all these logs from one file.
↧