Hope you all have faced this situation.. We got incoming mixed data from a single source (eg source=my_application.log) . This currently is parsed at arrival as
sourcetype=my:application . But this contains valuable information of
application:transactions for example.
Most of the search-time extractions are similar for audit & transactions. But currently I have to copy all of the logic on each sourcetype which is pure duplication of code.
Any ideas/tricks to ensure the search-time extractions done on parent-sourcetype can be inherited to child sourcetypes?
Expecting something like below
[my:application] # all common extractions here ## Hope to inherit all work done in above sourcetype [my:application:audit] # some very specific extractions for audit only [my:application:transaction] # some very specific extractions for txns
check Palo Alto TA (props.conf) for detailed description on how to solve your problem. so your example would look something like this below.
# all common extractions here
# some very specific extractions for audit only
# some very specific extractions for txns
hi, this didn't do for me.
Since Transformations happen at indextime, how can Search Head (where search-time extractions) know to apply the search-time extractions for another sourcetype?
You can rename sourcetypes as per: https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Renamesourcetypes.
I usually approach this using a transforms to set sourcetype at ingest, though not positive that would be of most use to you. Is it possible to post sample events scrubbed of course:))?