Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does the _json default sourcetype work, but a clone of it doesn't?

andrewtrobec
Motivator
‎06-01-2021 10:05 AM

Hello!

Running Splunk Enterprise 8.0.5.

I have a scripted input that calls an Azure Event Hub and parses the json response.  To start off easy I set the sourcetype to the Splunk default "_json" sourcetype.  Everything works fine with the exception of the timestamp not being set correctly.

To resolve this I cloned the _json sourcetype with the objective of updating some parameters.  Before starting I tested to see whether the cloned sourcetype, let's call it "_json2", would work.  To my surprise and confusion it does not.  Instead of breaking each object into an event it just indexes all objects into a single non-broken event.  I have no idea why.  All I did was click on the "clone" button and provided a new name.  Why would this not work?

Also, since I am working in a distributed environment with 1 x HF, 1 x IDX, and 1 x SH, where should the new sourcetype be stored?  I put it on the IDX.  It's also defined on the HF and SH, but it makes no difference.  

Any help would be greatly appreciated!

Thank you and best regards,

Andrew

Labels (3)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

andrewtrobec
Motivator
‎06-03-2021 11:28 AM

I was able to solve by defining the sourcetype within the local props.conf of the app that contained the scripted input on the HF.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

andrewtrobec
Motivator
‎06-03-2021 11:28 AM

I was able to solve by defining the sourcetype within the local props.conf of the app that contained the scripted input on the HF.

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-01-2021 11:09 PM

Hi @andrewtrobec 

Can you share the clone config?

 

0 Karma
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎06-03-2021 11:27 AM

@venkatasri Thanks for your concern!  I was able to solve in the meantime by defining the sourcetype within the local props.conf of the app that contained the scripted input on the HF.

0 Karma
Reply
Get Updates on the Splunk Community!

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...

The Visibility Gap: Hybrid Networks and IT Services

The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
Top