Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk event sourcetype overide and send event back to parsing queue

ankithreddy777
Contributor
‎03-21-2018 05:58 AM

I have a situation where I have to parse the data, especially timestamp extraction based on the keyword in the message.

like if event contains keyword "hello" I need to assigntimestamp from one field , if event contains "hi" I need to assign timestamp from other field during index time.

I tried to override source type based on matching keyword. But how to send the event back to parsing queue to re-assign timestamp based on new source type.

Or is there any other method achieve to assign timestamp based on keyword present in event.

0 Karma
Reply

tiagofbmm
Influencer
‎03-21-2018 08:01 AM

remember sourcetype overwrite is done in the end of the pipeline , just as cosmetic change for the latter search time field extractions and calculations.

I would still overwrite the sourcetype like you are doing but considering your use case of timestamp, I would create an EVAL in each sourcetype definition stating that _time=fieldA in one sourcetype and the respective thing on _time=fieldB on the other one.

Any time you later search for any of the sourcetype, your time will be showing modified.

Reply

tiagofbmm
Influencer
‎03-24-2018 12:04 AM

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma
Reply

imgarytan
Path Finder
‎07-19-2019 12:50 PM

Yes, similar post :
https://answers.splunk.com/answers/447812/per-event-sourcetype-overrides-not-actually-a-lot.html?utm...

Then anyone tried custom datetime.xml as below:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Configuredatetimexml#Create_or_modify_a_cust...

Is this something complex but feasible? or better not even try it since the words "In nearly all cases, you do not need to modify datetime.xml" ?

Thanks

0 Karma
Reply

jluo_splunk
Splunk Employee
Splunk Employee
‎03-21-2018 07:52 AM

Could you post a sample of your data? That would be helpful 🙂

0 Karma
Reply

tiagofbmm
Influencer
‎03-21-2018 06:15 AM

Splunk data goes only once through the parsing pipeline so there is no way to do exactly what you are asking for

0 Karma
Reply

imgarytan
Path Finder
‎07-19-2019 01:29 PM

Looks someone tried Chaining Universal Forwarders to allow forwarding more than once.

Then, for technical discussion, can we try add an intermediate heavy forwarder (HF1) to do the event sourcetype overiding, then forward that to indexer or second heavy forwarder (HF2) to do the timestamp parsing again as per new sourcetypes? 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...