Solved: Re: Search based on a source type overwritten on a...

kagrze · ‎07-24-2013

I've implemented per-event source types assignment as described here: http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Advancedsourcetypeoverrides Basically it works. For events matching a REGEX source type is overwritten. Unfortunately when I use this source type in a search query no events are returned. Is it because override is done on a search-time instead of an index-time? Is it possible to solve this?

kagrze · ‎07-24-2013

OK, I've solved it. I made a mistake. Instead of FORMAT = sourcetype::<your_custom_sourcetype_value> I wrote FORMAT = <your_custom_sourcetype_value> (I forgot about sourcetype::). It was hard to spot because Splunk was correctly overwriting sourcetype field in search results.

View solution in original post

kagrze · ‎07-24-2013

OK, I've solved it. I made a mistake. Instead of FORMAT = sourcetype::<your_custom_sourcetype_value> I wrote FORMAT = <your_custom_sourcetype_value> (I forgot about sourcetype::). It was hard to spot because Splunk was correctly overwriting sourcetype field in search results.

bmacias84 · ‎07-24-2013

It would help if you posted the stanzas in your .conf related to this.

Search based on a source type overwritten on a per-event basis not returning any events

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!