Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk event sourcetype overide and send event back to parsing queue

ankithreddy777
Contributor
‎03-21-2018 05:58 AM

I have a situation where I have to parse the data, especially timestamp extraction based on the keyword in the message.

like if event contains keyword "hello" I need to assigntimestamp from one field , if event contains "hi" I need to assign timestamp from other field during index time.

I tried to override source type based on matching keyword. But how to send the event back to parsing queue to re-assign timestamp based on new source type.

Or is there any other method achieve to assign timestamp based on keyword present in event.

0 Karma
Reply

tiagofbmm
Influencer
‎03-21-2018 08:01 AM

remember sourcetype overwrite is done in the end of the pipeline , just as cosmetic change for the latter search time field extractions and calculations.

I would still overwrite the sourcetype like you are doing but considering your use case of timestamp, I would create an EVAL in each sourcetype definition stating that _time=fieldA in one sourcetype and the respective thing on _time=fieldB on the other one.

Any time you later search for any of the sourcetype, your time will be showing modified.

Reply

tiagofbmm
Influencer
‎03-24-2018 12:04 AM

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma
Reply

imgarytan
Path Finder
‎07-19-2019 12:50 PM

Yes, similar post :
https://answers.splunk.com/answers/447812/per-event-sourcetype-overrides-not-actually-a-lot.html?utm...

Then anyone tried custom datetime.xml as below:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Configuredatetimexml#Create_or_modify_a_cust...

Is this something complex but feasible? or better not even try it since the words "In nearly all cases, you do not need to modify datetime.xml" ?

Thanks

0 Karma
Reply

jluo_splunk
Splunk Employee
Splunk Employee
‎03-21-2018 07:52 AM

Could you post a sample of your data? That would be helpful 🙂

0 Karma
Reply

tiagofbmm
Influencer
‎03-21-2018 06:15 AM

Splunk data goes only once through the parsing pipeline so there is no way to do exactly what you are asking for

0 Karma
Reply

imgarytan
Path Finder
‎07-19-2019 01:29 PM

Looks someone tried Chaining Universal Forwarders to allow forwarding more than once.

Then, for technical discussion, can we try add an intermediate heavy forwarder (HF1) to do the event sourcetype overiding, then forward that to indexer or second heavy forwarder (HF2) to do the timestamp parsing again as per new sourcetypes? 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...