Getting Data In

Sourcetype Inheritance: How to inherit parent sourcetype to child sourcetypes?

koshyk
Super Champion

Hope you all have faced this situation.. We got incoming mixed data from a single source (eg source=my_application.log) . This currently is parsed at arrival as sourcetype=my:application . But this contains valuable information of application:audit and application:transactions for example.

Most of the search-time extractions are similar for audit & transactions. But currently I have to copy all of the logic on each sourcetype which is pure duplication of code.

Any ideas/tricks to ensure the search-time extractions done on parent-sourcetype can be inherited to child sourcetypes?
Expecting something like below

[my:application]
# all common extractions here

## Hope to inherit all work done in above sourcetype
 [my:application:audit]
# some very specific extractions for audit only

 [my:application:transaction]
# some very specific extractions for txns

yahuja_splunk
Splunk Employee
Splunk Employee

check Palo Alto TA (props.conf) for detailed description on how to solve your problem. so your example would look something like this below.

[my:application]
# all common extractions here

TRANSFORMS-sourcetype =my:application:audit,my:application:transaction

[my:application:audit]
# some very specific extractions for audit only

[my:application:transaction]
# some very specific extractions for txns

0 Karma

koshyk
Super Champion

hi, this didn't do for me.
Since Transformations happen at indextime, how can Search Head (where search-time extractions) know to apply the search-time extractions for another sourcetype?

0 Karma

DimasSouza
Path Finder

Hi,

have you tried to copy your props.conf on both systems (index and search head)?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

Transformation works also on search time, but you must have those definitions on search head layers (just like fields.conf).

T. Ismo

0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

You can rename sourcetypes as per: https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Renamesourcetypes.
I usually approach this using a transforms to set sourcetype at ingest, though not positive that would be of most use to you. Is it possible to post sample events scrubbed of course:))?

koshyk
Super Champion

I liked this idea. I feel its bit childish as per the document, but a new way. thanks for that.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...