Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does the _json default sourcetype work, but a clone of it doesn't?

andrewtrobec
Motivator
‎06-01-2021 10:05 AM

Hello!

Running Splunk Enterprise 8.0.5.

I have a scripted input that calls an Azure Event Hub and parses the json response.  To start off easy I set the sourcetype to the Splunk default "_json" sourcetype.  Everything works fine with the exception of the timestamp not being set correctly.

To resolve this I cloned the _json sourcetype with the objective of updating some parameters.  Before starting I tested to see whether the cloned sourcetype, let's call it "_json2", would work.  To my surprise and confusion it does not.  Instead of breaking each object into an event it just indexes all objects into a single non-broken event.  I have no idea why.  All I did was click on the "clone" button and provided a new name.  Why would this not work?

Also, since I am working in a distributed environment with 1 x HF, 1 x IDX, and 1 x SH, where should the new sourcetype be stored?  I put it on the IDX.  It's also defined on the HF and SH, but it makes no difference.  

Any help would be greatly appreciated!

Thank you and best regards,

Andrew

Labels (3)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

andrewtrobec
Motivator
‎06-03-2021 11:28 AM

I was able to solve by defining the sourcetype within the local props.conf of the app that contained the scripted input on the HF.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

andrewtrobec
Motivator
‎06-03-2021 11:28 AM

I was able to solve by defining the sourcetype within the local props.conf of the app that contained the scripted input on the HF.

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-01-2021 11:09 PM

Hi @andrewtrobec 

Can you share the clone config?

 

0 Karma
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎06-03-2021 11:27 AM

@venkatasri Thanks for your concern!  I was able to solve in the meantime by defining the sourcetype within the local props.conf of the app that contained the scripted input on the HF.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top