Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to force to set certain fields (host and sourcetype) for events from HEC local stanza for each token

gots
Path Finder
‎08-14-2017 12:10 PM

Is it possible to force Splunk to set up specific fields (sourcetype, source, host) from HEC local stanza
but not from event parameters?

For example if i have inputs.conf like:

[http://http_test]
description = test hec input
disabled = 0
connection_host = dns
index = main
source = test_hec_source
sourcetype = test_hec_sourcetype

Client can rewrite index, host, source and sourcetype if post in data json like:

{
  "host": fake_host,
  "sourcetype": fake_sourcetype,
  "index": fake_index,
  "source": fake_source
}

But in certain situations i need to deny modifications of this parameters. Of course i can do it with transforms.conf, but it is not convinient.

Reply

mdsnmss
SplunkTrust
SplunkTrust
‎08-14-2017 12:46 PM

You should be able to override source and define sourcetype for HEC during configuration I know for sure. I don't believe you can for host. You should also be able to override fields using props and transforms at the indexers.

props.conf

[<original sourcetype>]
TRANSFORMS-force_host = force_host
TRANSFORMS-force_source = force_source
TRANSFORMS-force_sourcetype=force_sourcetype

transforms.conf

[force_host]
DEST_KEY=MetaData:Host
FORMAT = <your_host>

[force_source]
DEST_KEY=MetaData:Source
FORMAT = <your_source>

[force_sourcetype]
DEST_KEY=MetaData:Sourcetype
FORMAT = <your_sourcetype>

The only thing I am unsure of is Splunk's order of operations. If it changes the sourcetype first, would it no longer see that sourcetype for the event and skip the host and source override? I would have to test but, if so, you should be able to just create a new stanza for the new sourcetype.

https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Advancedsourcetypeoverrides

0 Karma
Reply

gots
Path Finder
‎08-14-2017 01:07 PM

you are right about HEC configuration if sourcetype, host and over fields are not defined in event.
But if sender define this fields, he will override valued defined in inputs.conf.

0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎08-14-2017 12:47 PM

In HEC configs, source/sourcetype settings come under the "per-token" settings: http://dev.splunk.com/view/event-collector/SP-CAAAE6Q.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top