Knowledge Management

what is the difference between override source type from forwarder and from indexer???

ahmedragy922
Explorer

Hi,
i'm new to splunk , i just wounder what is the difference between override source type/index from forwarder and from indexer???
and also if i choose to override sourcetype of files in universal forwarder , should i create a sourcetype and regex in transforms.conf on Search head with the new name that i specified in Universal Forwarder inputs.conf file to extract fields???

1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

@ahmedragy922,

There are three ways some ways you can attach sourcetype to your event. you should not worry about its difference as for user when you search the data there its just one sourcetype statically attached to your event + props/transforms regarding sourcetype will not apply on universal forwarder it will apply on Indexer.

If you write sourcetype in inputs.conf that will be applied from universal forwarder. Then data come to Indexer (it is called parsing phase but, if you use heavy forwarder parsing phase will be on Heavy Forwarder. Universal forwarder cannot perform parsing phase), there you can override that value with sourcetype parameter in props.conf or you can also override its value with Meta field from transforms.conf.

I hope this gives you the understanding that you need about sourcetype.

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@ahmedragy922,

There are three ways some ways you can attach sourcetype to your event. you should not worry about its difference as for user when you search the data there its just one sourcetype statically attached to your event + props/transforms regarding sourcetype will not apply on universal forwarder it will apply on Indexer.

If you write sourcetype in inputs.conf that will be applied from universal forwarder. Then data come to Indexer (it is called parsing phase but, if you use heavy forwarder parsing phase will be on Heavy Forwarder. Universal forwarder cannot perform parsing phase), there you can override that value with sourcetype parameter in props.conf or you can also override its value with Meta field from transforms.conf.

I hope this gives you the understanding that you need about sourcetype.

0 Karma

ahmedragy922
Explorer

thank you for your reply , but if i want to dynamically identify the sourcetype of data the are coming to indexer from forwarder , in this case i need to modify props.conf in indexer (parsing phase) to create regex matching the data and gives it a sourcetype ???

VatsalJagani
SplunkTrust
SplunkTrust

props.conf

[<some stanza>]
TRANSFORMS-change_sourcetype = change_sourcetype_tr

transforms.conf

[change_sourcetype_tr]
REGEX = <regex to identify events for which you want to change sourcetype for>
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::<new sourcetype you want to assign>
0 Karma

ahmedragy922
Explorer

thank you

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...