Getting Data In

Sourcetype Inheritance: How to inherit parent sourcetype to child sourcetypes?

koshyk
Super Champion

Hope you all have faced this situation.. We got incoming mixed data from a single source (eg source=my_application.log) . This currently is parsed at arrival as sourcetype=my:application . But this contains valuable information of application:audit and application:transactions for example.

Most of the search-time extractions are similar for audit & transactions. But currently I have to copy all of the logic on each sourcetype which is pure duplication of code.

Any ideas/tricks to ensure the search-time extractions done on parent-sourcetype can be inherited to child sourcetypes?
Expecting something like below

[my:application]
# all common extractions here

## Hope to inherit all work done in above sourcetype
 [my:application:audit]
# some very specific extractions for audit only

 [my:application:transaction]
# some very specific extractions for txns

yahuja_splunk
Splunk Employee
Splunk Employee

check Palo Alto TA (props.conf) for detailed description on how to solve your problem. so your example would look something like this below.

[my:application]
# all common extractions here

TRANSFORMS-sourcetype =my:application:audit,my:application:transaction

[my:application:audit]
# some very specific extractions for audit only

[my:application:transaction]
# some very specific extractions for txns

0 Karma

koshyk
Super Champion

hi, this didn't do for me.
Since Transformations happen at indextime, how can Search Head (where search-time extractions) know to apply the search-time extractions for another sourcetype?

0 Karma

DimasSouza
Path Finder

Hi,

have you tried to copy your props.conf on both systems (index and search head)?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

Transformation works also on search time, but you must have those definitions on search head layers (just like fields.conf).

T. Ismo

0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

You can rename sourcetypes as per: https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Renamesourcetypes.
I usually approach this using a transforms to set sourcetype at ingest, though not positive that would be of most use to you. Is it possible to post sample events scrubbed of course:))?

koshyk
Super Champion

I liked this idea. I feel its bit childish as per the document, but a new way. thanks for that.

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...