I am trying [once again] to rewrite metadata, host, source and source type from fields in my event.
I have an event like:
{ [-]
datasource: otherport
ident: root
message: This is a test
orighost: play
}
Note: My initial source type is fluentd when the event comes in.
I created an app and put my config in $SPLUNK_HOME/apps/fluentd/default directory and have a props and a transforms that don't do anything, yet they work perfectly on another host. The data is coming in through a syslog cp port 9999, so initial source is tcp:9999.
props:
[fluentd]
SHOULD_LINEMERGE = false
INDEXED_EXTRACTIONS = json
TRANSFORMS-updateMetaData = autohost,, autosource, autoparse
transforms:
[autosource]
SOURCE_KEY = field:datasource
REGEX = (.*)
FORMAT = sourcetype::$1
DEST_KEY = MetaData:Sourcetype
[autohost]
SOURCE_KEY = field:orighost
REGEX = (.*)
FORMAT = host::$1
DEST_KEY = MetaData:Host
[autoparse]
SOURCE_KEY = field:message
REGEX = (.*)
FORMAT = $1
DEST_KEY = _raw
Any help is appreciated, I cannot figure out why spunk ignores this config!
↧