Getting Data In

How to change sourcetype for HEC data input?

jwalzerpitt
Influencer

In my Splunk Cloud instance, I am ingesting WAF security events from a SaaS service via HEC. The events are in JSON format so my HEC data input is configured as a sourcetype of _json.

I now need to ingest the WAF request events from the Saas service, which are also in JSON format, so I'd like to send those to the same index, but with a different sourcetype to distinguish the two types of events. 

How can I modify the sourcetype for the WAF security events  from _json to waf_sec and then create a new HEC data input for the WAF request events with a sourcetype of waf_req, yet retaining the JSON format?

Thx

Labels (1)
Tags (4)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @jwalzerpitt,

Since it may not be easy to default _json sourcetype, you can filter waf_sec events using the source field. Filtering events by the source field is efficient like sourcetype. 

If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @jwalzerpitt,

Since it may not be easy to default _json sourcetype, you can filter waf_sec events using the source field. Filtering events by the source field is efficient like sourcetype. 

If this reply helps you an upvote is appreciated.

jwalzerpitt
Influencer

TYVM for the reply and info / so basically I'll be ingesting security and request events into the same index with the same sourcetype, but using the source name to distinguish between the two as I can name the HEC data input for WAF requests differently, which will then allow me to filter (and tag) security and requests.

0 Karma
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...