Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Sourcetype Inheritance: How to inherit parent sourcetype to child sourcetypes?

koshyk
Super Champion
‎08-23-2018 01:18 AM

Hope you all have faced this situation.. We got incoming mixed data from a single source (eg source=my_application.log) . This currently is parsed at arrival as sourcetype=my:application . But this contains valuable information of application:audit and application:transactions for example.

Most of the search-time extractions are similar for audit & transactions. But currently I have to copy all of the logic on each sourcetype which is pure duplication of code.

Any ideas/tricks to ensure the search-time extractions done on parent-sourcetype can be inherited to child sourcetypes?
Expecting something like below

[my:application]
# all common extractions here

## Hope to inherit all work done in above sourcetype
 [my:application:audit]
# some very specific extractions for audit only

 [my:application:transaction]
# some very specific extractions for txns
Reply

yahuja_splunk
Splunk Employee
Splunk Employee
‎08-23-2018 08:04 AM

check Palo Alto TA (props.conf) for detailed description on how to solve your problem. so your example would look something like this below.

[my:application]
# all common extractions here

TRANSFORMS-sourcetype =my:application:audit,my:application:transaction

[my:application:audit]
# some very specific extractions for audit only

[my:application:transaction]
# some very specific extractions for txns

0 Karma
Reply

koshyk
Super Champion
‎08-24-2018 01:54 PM

hi, this didn't do for me.
Since Transformations happen at indextime, how can Search Head (where search-time extractions) know to apply the search-time extractions for another sourcetype?

0 Karma
Reply

DimasSouza
Path Finder
‎03-05-2020 02:29 AM

Hi,

have you tried to copy your props.conf on both systems (index and search head)?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-05-2020 09:09 AM

Hi

Transformation works also on search time, but you must have those definitions on search head layers (just like fields.conf).

T. Ismo

0 Karma
Reply

sshelly_splunk
Splunk Employee
Splunk Employee
‎08-23-2018 07:52 AM

You can rename sourcetypes as per: https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Renamesourcetypes.
I usually approach this using a transforms to set sourcetype at ingest, though not positive that would be of most use to you. Is it possible to post sample events scrubbed of course:))?

Reply

koshyk
Super Champion
‎08-24-2018 01:56 PM

I liked this idea. I feel its bit childish as per the document, but a new way. thanks for that.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...