Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sourcetype Inheritance: How to inherit parent sourcetype to child sourcetypes?

koshyk
Super Champion
‎08-23-2018 01:18 AM

Hope you all have faced this situation.. We got incoming mixed data from a single source (eg source=my_application.log) . This currently is parsed at arrival as sourcetype=my:application . But this contains valuable information of application:audit and application:transactions for example.

Most of the search-time extractions are similar for audit & transactions. But currently I have to copy all of the logic on each sourcetype which is pure duplication of code.

Any ideas/tricks to ensure the search-time extractions done on parent-sourcetype can be inherited to child sourcetypes?
Expecting something like below

[my:application]
# all common extractions here

## Hope to inherit all work done in above sourcetype
 [my:application:audit]
# some very specific extractions for audit only

 [my:application:transaction]
# some very specific extractions for txns
Reply

yahuja_splunk
Splunk Employee
Splunk Employee
‎08-23-2018 08:04 AM

check Palo Alto TA (props.conf) for detailed description on how to solve your problem. so your example would look something like this below.

[my:application]
# all common extractions here

TRANSFORMS-sourcetype =my:application:audit,my:application:transaction

[my:application:audit]
# some very specific extractions for audit only

[my:application:transaction]
# some very specific extractions for txns

0 Karma
Reply

koshyk
Super Champion
‎08-24-2018 01:54 PM

hi, this didn't do for me.
Since Transformations happen at indextime, how can Search Head (where search-time extractions) know to apply the search-time extractions for another sourcetype?

0 Karma
Reply

DimasSouza
Path Finder
‎03-05-2020 02:29 AM

Hi,

have you tried to copy your props.conf on both systems (index and search head)?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-05-2020 09:09 AM

Hi

Transformation works also on search time, but you must have those definitions on search head layers (just like fields.conf).

T. Ismo

0 Karma
Reply

sshelly_splunk
Splunk Employee
Splunk Employee
‎08-23-2018 07:52 AM

You can rename sourcetypes as per: https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Renamesourcetypes.
I usually approach this using a transforms to set sourcetype at ingest, though not positive that would be of most use to you. Is it possible to post sample events scrubbed of course:))?

Reply

koshyk
Super Champion
‎08-24-2018 01:56 PM

I liked this idea. I feel its bit childish as per the document, but a new way. thanks for that.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...