https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424538#M74464 <P>check Palo Alto TA (props.conf) for detailed description on how to solve your problem. so your example would look something like this below. </P> <P>[my:application]<BR /> # all common extractions here</P> <H1>TRANSFORMS-sourcetype =my:application:audit,my:application:transaction</H1> <P>[my:application:audit]<BR /> # some very specific extractions for audit only</P> <P>[my:application:transaction]<BR /> # some very specific extractions for txns</P> Thu, 23 Aug 2018 15:04:11 GMT yahuja_splunk 2018-08-23T15:04:11Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424536#M74462 <P>Hope you all have faced this situation.. We got incoming mixed data from a single source (eg source=my_application.log) . This currently is parsed at arrival as <CODE>sourcetype=my:application</CODE> . But this contains valuable information of <CODE>application:audit</CODE> and <CODE>application:transactions</CODE> for example.</P> <P>Most of the search-time extractions are similar for audit &amp; transactions. But currently I have to copy all of the logic on each sourcetype which is pure duplication of code.</P> <P>Any ideas/tricks to ensure the search-time extractions done on parent-sourcetype can be inherited to child sourcetypes?<BR /> Expecting something like below</P> <PRE><CODE>[my:application] # all common extractions here ## Hope to inherit all work done in above sourcetype [my:application:audit] # some very specific extractions for audit only [my:application:transaction] # some very specific extractions for txns </CODE></PRE> Thu, 23 Aug 2018 08:18:21 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424536#M74462 koshyk 2018-08-23T08:18:21Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424537#M74463 <P>You can rename sourcetypes as per: <A href="https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Renamesourcetypes">https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Renamesourcetypes</A>. <BR /> I usually approach this using a transforms to set sourcetype at ingest, though not positive that would be of most use to you. Is it possible to post sample events scrubbed of course:))?</P> Thu, 23 Aug 2018 14:52:50 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424537#M74463 sshelly_splunk 2018-08-23T14:52:50Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424538#M74464 <P>check Palo Alto TA (props.conf) for detailed description on how to solve your problem. so your example would look something like this below. </P> <P>[my:application]<BR /> # all common extractions here</P> <H1>TRANSFORMS-sourcetype =my:application:audit,my:application:transaction</H1> <P>[my:application:audit]<BR /> # some very specific extractions for audit only</P> <P>[my:application:transaction]<BR /> # some very specific extractions for txns</P> Thu, 23 Aug 2018 15:04:11 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424538#M74464 yahuja_splunk 2018-08-23T15:04:11Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424539#M74465 <P>hi, this didn't do for me. <BR /> Since Transformations happen at indextime, how can Search Head (where search-time extractions) know to apply the search-time extractions for another sourcetype?</P> Fri, 24 Aug 2018 20:54:21 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424539#M74465 koshyk 2018-08-24T20:54:21Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424540#M74466 <P>I liked this idea. I feel its bit childish as per the document, but a new way. thanks for that. </P> Fri, 24 Aug 2018 20:56:11 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424540#M74466 koshyk 2018-08-24T20:56:11Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424541#M74467 <P>Hi,</P> <P>have you tried to copy your props.conf on both systems (index and search head)?</P> Thu, 05 Mar 2020 10:29:43 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424541#M74467 DimasSouza 2020-03-05T10:29:43Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424542#M74468 <P>Hi</P> <P>Transformation works also on search time, but you must have those definitions on search head layers (just like fields.conf).</P> <P>T. Ismo</P> Thu, 05 Mar 2020 17:09:32 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Inheritance-How-to-inherit-parent-sourcetype-to-child/m-p/424542#M74468 isoutamo 2020-03-05T17:09:32Z