How to split single sourcetype in multiple ones ba...

marco_massari11 · ‎12-08-2022

Hi all,

recently my customer asked me to integrate different JSON log sources (VPN concentrator, WAF and Load Balancers) comeing from only one Azure event hub. I onboarded it using the Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110) from the Inputs Data Manager Instance (IDM) and I selected the deafult sourcetype "mscs:azure:eventhub". At this point I need to split this sourcetype in three new ones, one for each log type (VPN concentrator, WAF and Load Balancers) distinguishing them and creating custom field extractions and so on for the Data Models. I found a field "category" within the JSON logs which can be used as splitting criteria:

Have you any idea to do that?

Thanks in advance!

Atriarc · ‎12-08-2022

You cannot rename the source type for data that has already been indexed. You can do some things at search time, but since that is inefficient I won't go into it. Your best bet is likely sending the data feed to a heavy forwarder, setting the source types appropriately (inputs, props, transforms), and then kicking it to the indexers.

marco_massari11 · ‎12-08-2022

Hi @Atriarc ,

my idea was to configure such a parser, maybe in the indxer before indexing.

How to split single sourcetype in multiple ones based on json field value?

data

field extraction

inputs.conf

JSON

other

props.conf

source

sourcetype

transforms.conf

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms