Solved: Re: Routing Sourcetype

blanky · ‎04-15-2025

We are collecting the sourtype of the data we are currently receiving by changing it as follows.

[A_syslog]
TRANSFORMS-<class_A> = <TRANSFORMS_STANZA_NAME>

[<TRANSFORMS_STANZA_NAME>]
REGEX = \w+\s+\d+\s+\d([^\s+]*)\s+([^\s+]*)\s+([^\s+]*)\s+([^\s+]*)\s+([^\s+]*)\s+
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::B_syslog
WRITE_META = true

I want to apply timestamp for B_syslog differently here, so I'm looking for sourcetype in props.conf but I can't see it.

When I change the sourcetype in the same way as above, can I get a different timestamp value only for that data?

isoutamo · ‎04-16-2025

You need to remember that setting a new sourcetype value for your event, don’t start to travel ingesting pipeline again! So don’t expect that setting sourcetype as B then it apply those definitions to that event. No it just go forward with sourcetype A settings.

View solution in original post

isoutamo · ‎04-16-2025

You need to remember that setting a new sourcetype value for your event, don’t start to travel ingesting pipeline again! So don’t expect that setting sourcetype as B then it apply those definitions to that event. No it just go forward with sourcetype A settings.

livehybrid · ‎04-15-2025

Hi @blanky

I replied to your previous post about this yesterday here https://community.splunk.com/t5/Getting-Data-In/change-timestamp-for-extra-data/m-p/744204#M118235

Were you able to test this approach, or is this not what you are looking for?

Please could you include some sample data as examples of before/after so we can see what you are looking to achieve if the suggested solution is not appropriate?

You could try something like this:

== transforms.conf ==
[yourSourcetype]
TRANSFORM-overwriteTime = overwriteTime

== props.conf ==
[overwriteTime]
INGEST_EVAL = _time=coalesce(strptime(substr(_raw,0,25),"%Y-%m-%d %H:%M:%S"),_time)

This would try and extract the time using the format provided out of the first 25 characters of the _raw event (adjust accordingly) and if that fails it falls back on _time previously determined).
This allows you to overwrite the _time extraction for your other data. You can develop this further depending on the various events coming in if necessary.

For more context on this check out Richard Morgan's fantastic props/transforms examples at https://github.com/silkyrich/ingest_eval_examples/blob/master/default/transforms.conf#L9

For time format variables see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Routing Sourcetype

heavy forwarder

inputs.conf

time

transforms.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation