Solved: How to change sourcetype for HEC data input?

jwalzerpitt · ‎01-19-2023

In my Splunk Cloud instance, I am ingesting WAF security events from a SaaS service via HEC. The events are in JSON format so my HEC data input is configured as a sourcetype of _json.

I now need to ingest the WAF request events from the Saas service, which are also in JSON format, so I'd like to send those to the same index, but with a different sourcetype to distinguish the two types of events.

How can I modify the sourcetype for the WAF security events from _json to waf_sec and then create a new HEC data input for the WAF request events with a sourcetype of waf_req, yet retaining the JSON format?

Thx

scelikok · ‎01-19-2023

Hi @jwalzerpitt,

Since it may not be easy to default _json sourcetype, you can filter waf_sec events using the source field. Filtering events by the source field is efficient like sourcetype.

If this reply helps you an upvote is appreciated.

View solution in original post

scelikok · ‎01-19-2023

Hi @jwalzerpitt,

Since it may not be easy to default _json sourcetype, you can filter waf_sec events using the source field. Filtering events by the source field is efficient like sourcetype.

If this reply helps you an upvote is appreciated.

jwalzerpitt · ‎01-19-2023

TYVM for the reply and info / so basically I'll be ingesting security and request events into the same index with the same sourcetype, but using the source name to distinguish between the two as I can name the HEC data input for WAF requests differently, which will then allow me to filter (and tag) security and requests.

How to change sourcetype for HEC data input?

HTTP Event Collector

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)