Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

what is the difference between override source type from forwarder and from indexer???

ahmedragy922
Explorer
‎06-08-2019 06:55 AM

Hi,
i'm new to splunk , i just wounder what is the difference between override source type/index from forwarder and from indexer???
and also if i choose to override sourcetype of files in universal forwarder , should i create a sourcetype and regex in transforms.conf on Search head with the new name that i specified in Universal Forwarder inputs.conf file to extract fields???

Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
Super Champion
‎06-08-2019 11:41 PM

@ahmedragy922,

There are three ways some ways you can attach sourcetype to your event. you should not worry about its difference as for user when you search the data there its just one sourcetype statically attached to your event + props/transforms regarding sourcetype will not apply on universal forwarder it will apply on Indexer.

If you write sourcetype in inputs.conf that will be applied from universal forwarder. Then data come to Indexer (it is called parsing phase but, if you use heavy forwarder parsing phase will be on Heavy Forwarder. Universal forwarder cannot perform parsing phase), there you can override that value with sourcetype parameter in props.conf or you can also override its value with Meta field from transforms.conf.

I hope this gives you the understanding that you need about sourcetype.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

VatsalJagani
Super Champion
‎06-08-2019 11:41 PM

@ahmedragy922,

There are three ways some ways you can attach sourcetype to your event. you should not worry about its difference as for user when you search the data there its just one sourcetype statically attached to your event + props/transforms regarding sourcetype will not apply on universal forwarder it will apply on Indexer.

If you write sourcetype in inputs.conf that will be applied from universal forwarder. Then data come to Indexer (it is called parsing phase but, if you use heavy forwarder parsing phase will be on Heavy Forwarder. Universal forwarder cannot perform parsing phase), there you can override that value with sourcetype parameter in props.conf or you can also override its value with Meta field from transforms.conf.

I hope this gives you the understanding that you need about sourcetype.

0 Karma
Reply
Solved! Jump to solution

ahmedragy922
Explorer
‎06-09-2019 04:41 AM

thank you for your reply , but if i want to dynamically identify the sourcetype of data the are coming to indexer from forwarder , in this case i need to modify props.conf in indexer (parsing phase) to create regex matching the data and gives it a sourcetype ???

Reply
Solved! Jump to solution

VatsalJagani
Super Champion
‎06-09-2019 07:18 AM

props.conf

[<some stanza>]
TRANSFORMS-change_sourcetype = change_sourcetype_tr

transforms.conf

[change_sourcetype_tr]
REGEX = <regex to identify events for which you want to change sourcetype for>
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::<new sourcetype you want to assign>
0 Karma
Reply
Solved! Jump to solution

ahmedragy922
Explorer
‎06-11-2019 06:47 AM

thank you

Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...