Hello!

Running Splunk Enterprise 8.0.5.

I have a scripted input that calls an Azure Event Hub and parses the json response.  To start off easy I set the sourcetype to the Splunk default "_json" sourcetype.  Everything works fine with the exception of the timestamp not being set correctly.

To resolve this I cloned the _json sourcetype with the objective of updating some parameters.  Before starting I tested to see whether the cloned sourcetype, let's call it "_json2", would work.  To my surprise and confusion it does not.  Instead of breaking each object into an event it just indexes all objects into a single non-broken event.  I have no idea why.  All I did was click on the "clone" button and provided a new name.  Why would this not work?

Also, since I am working in a distributed environment with 1 x HF, 1 x IDX, and 1 x SH, where should the new sourcetype be stored?  I put it on the IDX.  It's also defined on the HF and SH, but it makes no difference.  

Any help would be greatly appreciated!

Thank you and best regards,

Andrew