I am looking for change the source type for this apps Splunk Add-on for Microsoft Security
hope you got the solution.. if so, could you pls mark the question as solved, so it will be moved from unanswered to solved. thanks. karma / upvotes are always welcomed, thanks.
What is the problem you are trying to solve? Not the immediate technical "problem" - how to change sourcetype - but the business one. Why do you want to do that?
1) do you want to change the sourcetype of the already indexed data
or
2) new data that is yet to be onboarded
for the case 1, the answer is no. once the data is ingested, we can not alter / modify anything to the indexed data.
for the case 2, you can refer the previous reply. pls note that, most of the times you need not change/modify the sourcetype of an app/add-on, unless you have some specific requirements, thanks.
When changing the sourcetype, please note that any knowledge objects (field extractions, calculated fields, etc) in the app that apply to the previous sourcetype will then no longer apply, unless you then modify them to apply to the new sourcetype.
It is likely possible to configure the app using the webUI to make the /local/inputs.conf stanzas, which could then be edited to use a different sourcetype.
Another option would be to use transforms to change the sourcetype:
You can put these config files in the local directory of the app (E.g. /opt/splunk/etc/apps/Splunk_TA_MS_Security/local) in the heavy forwarder where you installed the app, or append their contents to existing files of the same name in the local directory.
props.conf
# e.g. if you want to change ms365:defender:incident to "ms:new:sourcetype:value". Add more stanzas for each sourcetype to change.
[ms365:defender:incident]
TRANSFORMS-ChangeSourceType = ChangeSourceType
transforms.conf
[ChangeSourceType]
#custom regex can be set here to apply to matching events
REGEX = .*
FORMAT = sourcetype::"ms:new:sourcetype:value"
Ref:
https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides