Getting Data In

How to split single sourcetype in multiple ones based on json field value?

marco_massari11
Communicator

Hi all,

recently my customer asked me to integrate different JSON log sources (VPN concentrator, WAF and Load Balancers) comeing from only one Azure event hub. I onboarded it using the Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110) from the Inputs Data Manager Instance (IDM) and I selected the deafult sourcetype "mscs:azure:eventhub". At this point I need to split this sourcetype in three new ones, one for each log type (VPN concentrator, WAF and Load Balancers) distinguishing them and creating custom field extractions and so on for the Data Models. I found a field "category"  within the JSON logs which can be used as splitting criteria:

marco_massari11_0-1670517468037.png

Have you any idea to do that?

Thanks in advance!

0 Karma

Atriarc
SplunkTrust
SplunkTrust

You cannot rename the source type for data that has already been indexed. You can do some things at search time, but since that is inefficient I won't go into it. Your best bet is likely sending the data feed to a heavy forwarder, setting the source types appropriately (inputs, props, transforms), and then kicking it to the indexers.

Tags (1)
0 Karma

marco_massari11
Communicator

Hi @Atriarc ,

my idea was to configure such a parser, maybe in the indxer before indexing.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...