Getting Data In

Why does the _json default sourcetype work, but a clone of it doesn't?

andrewtrobec
Motivator

Hello!

Running Splunk Enterprise 8.0.5.

I have a scripted input that calls an Azure Event Hub and parses the json response.  To start off easy I set the sourcetype to the Splunk default "_json" sourcetype.  Everything works fine with the exception of the timestamp not being set correctly.

To resolve this I cloned the _json sourcetype with the objective of updating some parameters.  Before starting I tested to see whether the cloned sourcetype, let's call it "_json2", would work.  To my surprise and confusion it does not.  Instead of breaking each object into an event it just indexes all objects into a single non-broken event.  I have no idea why.  All I did was click on the "clone" button and provided a new name.  Why would this not work?

Also, since I am working in a distributed environment with 1 x HF, 1 x IDX, and 1 x SH, where should the new sourcetype be stored?  I put it on the IDX.  It's also defined on the HF and SH, but it makes no difference.  

Any help would be greatly appreciated!

Thank you and best regards,

Andrew

Labels (3)
Tags (3)
0 Karma
1 Solution

andrewtrobec
Motivator

I was able to solve by defining the sourcetype within the local props.conf of the app that contained the scripted input on the HF.

View solution in original post

0 Karma

andrewtrobec
Motivator

I was able to solve by defining the sourcetype within the local props.conf of the app that contained the scripted input on the HF.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @andrewtrobec 

Can you share the clone config?

 

0 Karma

andrewtrobec
Motivator

@venkatasri Thanks for your concern!  I was able to solve in the meantime by defining the sourcetype within the local props.conf of the app that contained the scripted input on the HF.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...