Getting Data In

How can I define new sourcetypes for one single TCP input ?

jimnol
New Member

Hello,

I'm trying to implement Splunk on a really big project.
My team and I already used a LogLogic solution and want to go through a Splunk's one.

The problem is that all the logs of this network (decades Active Directory areas) are currently relayed to the LogLogic SIEM and then to my Splunk Indexer over TCP.
That's means that I can configure only one TCP input on my indexer.

Question is : How can I tell Splunk to define new sourcetypes based on differents events indexed such "This is a Windows Log" or "That is an Arkoon log" etc ... ?

Should I use a Splunk Forwarder to parse data upstream or anything else ?

Thank you in advance for your replies !

PS : Sorry for my English I'm a French student ^^

0 Karma

woodcock
Esteemed Legend
0 Karma

aholzer
Motivator

You can do this with props.conf and transforms.conf.

Your transforms would look something like this:

[force_sourcetype_x]
#regex that matches events that you want to label as sourcetype x
REGEX = sourcetype_x
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::x

Hope this helps

0 Karma

jimnol
New Member

I'll try it next week Splunk's VM is down actually.

Thank you !

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!