Re: TCP input override

hethu · ‎06-23-2020

Hi,

I am using a TCP input in splunk to receive WSUS data, gathered and pushed to splunk by a powershell script.

My question is if it is possible to use the same input, and override source type based on a field value in the received data? I have field called "datasource" in my data.

The_Simko · ‎06-23-2020

Yes, it is possible. Note, it may cause excessive CPU usage on the indexer / heavy forwarder.

props.conf and transforms.conf (most likely on indexer, but if you have the data coming to a heavy forwarder, then put the props and transforms there as well)

In the transforms example below, adjust the regex to grab the field you are looking for.

For More details, see: https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Advancedsourcetypeoverrides

props.conf
[<sourcetype>]
TRANSFORMS-changedatasource = datasource_finder

transforms.conf
[datasource_finder]
SOURCE_KEY = _raw
REGEX = datasource=(\w+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::$1

TCP input override

sourcetype

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Join the Conversation