Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Sourcetype on SH overwriting config on HF
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am working in a shared environment with several Heavy Forwarders that sent data to Splunk Cloud Indexers and a shared Splunk Cloud Search Head.
I have noticed that when I set up a sourcetype on the HF with the same name as a sourcetype on the Search head - the Search head sourcetype seems to supersede the configuration of the local sourcetype on the HF.
For example if I specify the timezone TZ=GMT on the sourcetype=IIS on the HF but on the SH the TZ is not set to GMT, it looks to me that sourcetype configuration on the SH supersedes the configuration on the HF. Would that be a correct assumption?
Thank you,
Oliver
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct.
It's possible to have sourcetype over-rides configured on the search head:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Renamesourcetypes
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Advancedsourcetypeoverrides
The search head will rename the sourcetype, then parse the event based on the new sourcetype settings
The sourcetype set by the HF, should still be indexed with the event and depending on how the sourcetype change was done might be available in the field _sourcetype
If the settings on the seach head were removed, the original sourcetype would show up again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct.
It's possible to have sourcetype over-rides configured on the search head:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Renamesourcetypes
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Advancedsourcetypeoverrides
The search head will rename the sourcetype, then parse the event based on the new sourcetype settings
The sourcetype set by the HF, should still be indexed with the event and depending on how the sourcetype change was done might be available in the field _sourcetype
If the settings on the seach head were removed, the original sourcetype would show up again.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
