I can't find place to set sourcetype for different kafka topic input,how can I config it for event breaker or timestamp modify?
thank you
Thanks for your question, Ross. The add-on automatically sets the source type for you based on the data source and the log format. The source types, along with their timestamp methods, are documented here: http://docs.splunk.com/Documentation/AddOns/latest/Kafka/Sourcetypes
Knowledge management in the TA depends on these source types, so you should not change them without also then modifying props.conf. If you find you need to further adjust event breaking or timestamps, you can do that manually in props.conf. http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf
Hello,rpille,Kafka topic data collected through a modular input use default sourcetype kafka:topicEvent
If I have two different log in kafka topic,how can I adjust breaking or timestamps two different log type with same sourcetype?
thank you
I see. Yes, the add-on is content-agnostic for whatever your payloads may be in your Kafka topics, so it doesn't do any detection for different data types. You can achieve this manually in props.conf. Here is the advanced overrides page for reference: http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/Advancedsourcetypeoverrides