https://community.splunk.com/t5/Getting-Data-In/How-to-force-to-set-certain-fields-host-and-sourcetype-for/m-p/369077#M67022 <P>you are right about HEC configuration if sourcetype, host and over fields are not defined in event.<BR /> But if sender define this fields, he will override valued defined in inputs.conf.</P> Mon, 14 Aug 2017 20:07:34 GMT gots 2017-08-14T20:07:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-force-to-set-certain-fields-host-and-sourcetype-for/m-p/369074#M67019 <P>Is it possible to force Splunk to set up specific fields (sourcetype, source, host) from HEC <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#HTTP_Event_Collector_.28HEC.29_-_Local_stanza_for_each_token">local stanza</A> <BR /> but not from event parameters?</P> <P>For example if i have inputs.conf like:</P> <PRE><CODE>[http://http_test] description = test hec input disabled = 0 connection_host = dns index = main source = test_hec_source sourcetype = test_hec_sourcetype </CODE></PRE> <P>Client can rewrite index, host, source and sourcetype if post in data json like:</P> <PRE><CODE>{ "host": fake_host, "sourcetype": fake_sourcetype, "index": fake_index, "source": fake_source } </CODE></PRE> <P>But in certain situations i need to deny modifications of this parameters. Of course i can do it with transforms.conf, but it is not convinient.</P> Mon, 14 Aug 2017 19:10:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-force-to-set-certain-fields-host-and-sourcetype-for/m-p/369074#M67019 gots 2017-08-14T19:10:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-force-to-set-certain-fields-host-and-sourcetype-for/m-p/369075#M67020 <P>You should be able to override source and define sourcetype for HEC during configuration I know for sure. I don't believe you can for host. You should also be able to override fields using props and transforms at the indexers.</P> <P>props.conf</P> <PRE><CODE>[&lt;original sourcetype&gt;] TRANSFORMS-force_host = force_host TRANSFORMS-force_source = force_source TRANSFORMS-force_sourcetype=force_sourcetype </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[force_host] DEST_KEY=MetaData:Host FORMAT = &lt;your_host&gt; [force_source] DEST_KEY=MetaData:Source FORMAT = &lt;your_source&gt; [force_sourcetype] DEST_KEY=MetaData:Sourcetype FORMAT = &lt;your_sourcetype&gt; </CODE></PRE> <P>The only thing I am unsure of is Splunk's order of operations. If it changes the sourcetype first, would it no longer see that sourcetype for the event and skip the host and source override? I would have to test but, if so, you should be able to just create a new stanza for the new sourcetype.</P> <P><A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Advancedsourcetypeoverrides">https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Advancedsourcetypeoverrides</A></P> Mon, 14 Aug 2017 19:46:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-force-to-set-certain-fields-host-and-sourcetype-for/m-p/369075#M67020 mdsnmss 2017-08-14T19:46:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-force-to-set-certain-fields-host-and-sourcetype-for/m-p/369076#M67021 <P>In HEC configs, source/sourcetype settings come under the "per-token" settings: <A href="http://dev.splunk.com/view/event-collector/SP-CAAAE6Q">http://dev.splunk.com/view/event-collector/SP-CAAAE6Q</A>.</P> Mon, 14 Aug 2017 19:47:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-force-to-set-certain-fields-host-and-sourcetype-for/m-p/369076#M67021 mdsnmss 2017-08-14T19:47:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-force-to-set-certain-fields-host-and-sourcetype-for/m-p/369077#M67022 <P>you are right about HEC configuration if sourcetype, host and over fields are not defined in event.<BR /> But if sender define this fields, he will override valued defined in inputs.conf.</P> Mon, 14 Aug 2017 20:07:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-force-to-set-certain-fields-host-and-sourcetype-for/m-p/369077#M67022 gots 2017-08-14T20:07:34Z