Getting Data In

How do you create a duplicate source type?

Explorer

Hi All,

Need a quick help on creating duplicate source types in Splunk.

Currently, the data is flowing into index=test1 sourcetype=data1

Now, I would like to send the same data into another source type as well while keeping the original source type also.

So, the final result I am looking for is like below:

On Splunk Web, execute the search as below:

index=test1 

Then, I should be able to see 2 source types as sourcetype=data1 and sourcetype=data2 for the same index.

Thanks in advance,
Santosh

0 Karma

Explorer

You can use clone_sourcetype to clone your data into another sourcetype.

Your will need to configure your props.conf and transforms.conf to look something like this:

props.conf

[original_sourcetype]
parm1 = xxx
parm2 = 123

[duplicate_sourcetype]
parm1 = xxx
parm2 = 123

[source::]
TRANSFORMS-clone = clone_sourcetype

transforms.conf:

[clone_sourcetype]
CLONE_SOURCETYPE = duplicate_sourcetype
REGEX = .

0 Karma

Ultra Champion

Sounds like you’re trying to solve a people/process problem with a technology solution. That isn’t always the best way to go.

But if you really cannot solve this on a people/process level, why not simply take a backup of that sourcetype config so that in the case they remove it, you can simply add it again?

0 Karma

Explorer

Hi All,

Thanks for the response.

Purpose of creating duplicate sourcetype:

  • The original sourcetype (data1) was created by another team and we don't have any control on this sourcetype. Going forward if they delete this sourcetype without our knowledge then we won't be having any control on the sourcetype. Hence, we are creating a duplicate sourcetype (data2) so that we can have the control of the data flowing into this sourcetype and can parse the data easily.

regards,
Santosh

0 Karma

Ultra Champion

What would be the purpose of this? And would you intend to duplicate the data then, or do you mean that part of your data should get assigned data1 and part of it should get assigned data2 as sourcetype?

0 Karma

Influencer

What is it you want to achieve with the separation?

0 Karma

SplunkTrust
SplunkTrust

Events can have exactly one sourcetype.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!