How to Config sourcetype for kafka topic inputs

ross0nero · ‎03-18-2016

I can't find place to set sourcetype for different kafka topic input,how can I config it for event breaker or timestamp modify?
thank you

rpille_splunk · ‎03-18-2016

Thanks for your question, Ross. The add-on automatically sets the source type for you based on the data source and the log format. The source types, along with their timestamp methods, are documented here: http://docs.splunk.com/Documentation/AddOns/latest/Kafka/Sourcetypes

Knowledge management in the TA depends on these source types, so you should not change them without also then modifying props.conf. If you find you need to further adjust event breaking or timestamps, you can do that manually in props.conf. http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

ross0nero · ‎03-21-2016

Hello，rpille，Kafka topic data collected through a modular input use default sourcetype kafka:topicEvent
If I have two different log in kafka topic，how can I adjust breaking or timestamps two different log type with same sourcetype？
thank you

rpille_splunk · ‎03-22-2016

I see. Yes, the add-on is content-agnostic for whatever your payloads may be in your Kafka topics, so it doesn't do any detection for different data types. You can achieve this manually in props.conf. Here is the advanced overrides page for reference: http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/Advancedsourcetypeoverrides

How to Config sourcetype for kafka topic inputs

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms