Re: How to split single sourcetype in multiple one...

marco_massari11 · ‎12-08-2022

Hi all,

recently my customer asked me to integrate different JSON log sources (VPN concentrator, WAF and Load Balancers) comeing from only one Azure event hub. I onboarded it using the Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110) from the Inputs Data Manager Instance (IDM) and I selected the deafult sourcetype "mscs:azure:eventhub". At this point I need to split this sourcetype in three new ones, one for each log type (VPN concentrator, WAF and Load Balancers) distinguishing them and creating custom field extractions and so on for the Data Models. I found a field "category" within the JSON logs which can be used as splitting criteria:

Have you any idea to do that?

Thanks in advance!

Atriarc · ‎12-08-2022

You cannot rename the source type for data that has already been indexed. You can do some things at search time, but since that is inefficient I won't go into it. Your best bet is likely sending the data feed to a heavy forwarder, setting the source types appropriately (inputs, props, transforms), and then kicking it to the indexers.

marco_massari11 · ‎12-08-2022

Hi @Atriarc ,

my idea was to configure such a parser, maybe in the indxer before indexing.

How to split single sourcetype in multiple ones based on json field value?

data

field extraction

inputs.conf

JSON

props.conf

source

sourcetype

transforms.conf

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

How to split single sourcetype in multiple ones based on json field value?