Re: TCP input override

hethu · ‎06-23-2020

Hi,

I am using a TCP input in splunk to receive WSUS data, gathered and pushed to splunk by a powershell script.

My question is if it is possible to use the same input, and override source type based on a field value in the received data? I have field called "datasource" in my data.

The_Simko · ‎06-23-2020

Yes, it is possible. Note, it may cause excessive CPU usage on the indexer / heavy forwarder.

props.conf and transforms.conf (most likely on indexer, but if you have the data coming to a heavy forwarder, then put the props and transforms there as well)

In the transforms example below, adjust the regex to grab the field you are looking for.

For More details, see: https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Advancedsourcetypeoverrides

props.conf
[<sourcetype>]
TRANSFORMS-changedatasource = datasource_finder

transforms.conf
[datasource_finder]
SOURCE_KEY = _raw
REGEX = datasource=(\w+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::$1

TCP input override

sourcetype

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

Index This | What has goals but no motivation?

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Join the Conversation