Splunk Enterprise

How do change sourcetype

sureshmani04
New Member

I am looking for change the source type for this apps Splunk Add-on for Microsoft Security

Labels (2)
0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @sureshmani04 

hope you got the solution.. if so, could you pls mark the question as solved, so it will be moved from unanswered to solved. thanks. karma / upvotes are always welcomed, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

PickleRick
SplunkTrust
SplunkTrust

What is the problem you are trying to solve? Not the immediate technical "problem" - how to change sourcetype - but the business one. Why do you want to do that?

isoutamo
SplunkTrust
SplunkTrust
Could you describe what is your issue which you are trying to solve? Not the action how you are solving it!

inventsekar
SplunkTrust
SplunkTrust

Hi @sureshmani04 

1) do you want to change the sourcetype of the already indexed data 

or 

2) new data that is yet to be onboarded 

 

for the case 1, the answer is no. once the data is ingested, we can not alter / modify anything to the indexed data. 

for the case 2, you can refer the previous reply. pls note that, most of the times you need not change/modify the sourcetype of an app/add-on, unless you have some specific requirements, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

marnall
Motivator

When changing the sourcetype, please note that any knowledge objects (field extractions, calculated fields, etc) in the app that apply to the previous sourcetype will then no longer apply, unless you then modify them to apply to the new sourcetype.

It is likely possible to configure the app using the webUI to make the /local/inputs.conf stanzas, which could then be edited to use a different sourcetype. 

Another option would be to use transforms to change the sourcetype:

You can put these config files in the local directory of the app (E.g. /opt/splunk/etc/apps/Splunk_TA_MS_Security/local) in the heavy forwarder where you installed the app, or append their contents to existing files of the same name in the local directory.

props.conf

# e.g. if you want to change ms365:defender:incident to "ms:new:sourcetype:value". Add more stanzas for each sourcetype to change.
[ms365:defender:incident]
TRANSFORMS-ChangeSourceType = ChangeSourceType

 

transforms.conf

[ChangeSourceType]
#custom regex can be set here to apply to matching events
REGEX = .*
FORMAT = sourcetype::"ms:new:sourcetype:value"

 

Ref:
https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...