Getting Data In

How to change sourcetype for HEC data input?

jwalzerpitt
Influencer

In my Splunk Cloud instance, I am ingesting WAF security events from a SaaS service via HEC. The events are in JSON format so my HEC data input is configured as a sourcetype of _json.

I now need to ingest the WAF request events from the Saas service, which are also in JSON format, so I'd like to send those to the same index, but with a different sourcetype to distinguish the two types of events. 

How can I modify the sourcetype for the WAF security events  from _json to waf_sec and then create a new HEC data input for the WAF request events with a sourcetype of waf_req, yet retaining the JSON format?

Thx

Labels (1)
Tags (4)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @jwalzerpitt,

Since it may not be easy to default _json sourcetype, you can filter waf_sec events using the source field. Filtering events by the source field is efficient like sourcetype. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @jwalzerpitt,

Since it may not be easy to default _json sourcetype, you can filter waf_sec events using the source field. Filtering events by the source field is efficient like sourcetype. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

jwalzerpitt
Influencer

TYVM for the reply and info / so basically I'll be ingesting security and request events into the same index with the same sourcetype, but using the source name to distinguish between the two as I can name the HEC data input for WAF requests differently, which will then allow me to filter (and tag) security and requests.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...