Getting Data In
Highlighted

How do I override source types in SplunkCloud

Explorer

I know that I can override source types dynamically per event based on this documentation link here: (docs.splunk.com/Documentation/Splunk/6.2.5/Data/Advancedsourcetypeoverrides)

I'm reading events from a custom source file (it's just a text file on Linux).

How do I change the source name dynamically in a SplunkCloud offering?

0 Karma
Highlighted

Re: How do I override source types in SplunkCloud

Influencer

One option, is to use a Heavy Forwarder (HF) instead of or in addition to your Universal Forwarders (UF). Either the HF could be on the origin system, OR you could have the UFs forward to the HF which in turn forwards to Splunk Cloud. The Heavy Forwarder is able to do all of the parsing steps, including per-event sourcetype overrides as you're wanting to do. (There is an exception that structured data like CSV and W3C using INDEXED_EXTRACTIONS actually has this part of parsing happen on the UF, so you would actually do this step on the UFs, but only if you were using that sort of sourcetype to begin with).

Some docs links that you might find interesting:

I am not a Splunk Cloud customer, but I believe the other option is to develop your configuration and work with support to get it installed in your Splunk Cloud indexers. but of course that's more in Splunk's control rather than yours.

View solution in original post

Highlighted

Re: How do I override source types in SplunkCloud

Explorer

Thanks for the feedback - I'm not a big fan of "forwarders to forwarders", but this a (potential) option 🙂

0 Karma
Highlighted

Re: How do I override source types in SplunkCloud

Influencer

As I mentioned on the last line of my answer, the other option then is to open a support case to put your props and transforms into the configuration of your Splunk Cloud indexers. Per http://docs.splunk.com/Documentation/SplunkCloud/SplunkCloud/FAQs/FAQs under "What can Splunk support help me with?" the last bullet is "Modify the configuration settings of your deployment"

You'll likely still be responsible for developing the specific stanzas that you want to configure, it'd just likely take longer to take effect since you would not have as much control of when your changes are rolled out.

Highlighted

Re: How do I override source types in SplunkCloud

Explorer

Thanks again - I didn't quite catch that this was standard functionality from SplunkCloud.

0 Karma