In my Splunk Cloud instance, I am ingesting WAF security events from a SaaS service via HEC. The events are in JSON format so my HEC data input is configured as a sourcetype of _json.
I now need to ingest the WAF request events from the Saas service, which are also in JSON format, so I'd like to send those to the same index, but with a different sourcetype to distinguish the two types of events.
How can I modify the sourcetype for the WAF security events from _json to waf_sec and then create a new HEC data input for the WAF request events with a sourcetype of waf_req, yet retaining the JSON format?
Thx
Hi @jwalzerpitt,
Since it may not be easy to default _json sourcetype, you can filter waf_sec events using the source field. Filtering events by the source field is efficient like sourcetype.
Hi @jwalzerpitt,
Since it may not be easy to default _json sourcetype, you can filter waf_sec events using the source field. Filtering events by the source field is efficient like sourcetype.
TYVM for the reply and info / so basically I'll be ingesting security and request events into the same index with the same sourcetype, but using the source name to distinguish between the two as I can name the HEC data input for WAF requests differently, which will then allow me to filter (and tag) security and requests.