Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I replace sourcetype?

Kalnins
Observer
‎09-02-2022 12:14 AM

Finally we migrated away for Microsoft Azure Add-on for Splunk to Splunk Add-on for Microsoft Cloud Services.

In Microsoft Azure Add-on for Splunk  Inputs conf.  it was possible to specify manually Event Hub Sourcetype, but in Splunk Add-on for Microsoft Cloud Services  we need to choose  the value.  The problem  is that we need the values azure:ad_signin:eventhub and azure:ad_audit:eventhub  but Splunk Add-on for Microsoft Cloud Services provides only mscs:azure:eventhub.  

Based on log information from Azure  there is Category field with the values (SignInLogs,AuditLogs).  And from it I can specify which is Audit log and which is Signin log and change SourceType for each of log type.
On Heavy Forwarder where App is deployed  (/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/default)  i added the following config. But nothing changed source type stays mscs:azure:eventhub. Any ideas what I'm missing?

props.conf
[mscs:azure:eventhub]
TRANSFORMS-rename = SignInLogs,AuditLogs

transforms.conf
[SignInLogs]
REGEX =  SignInLogs
SOURCE_KEY = field:category
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::azure:ad_signin:eventhub
WRITE_META = true

[AuditLogs]
REGEX =  AuditLogs
SOURCE_KEY = field:category
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::azure:ad_audit:eventhub
WRITE_META = true

 

 

Labels (3)
0 Karma
Reply

Kalnins
Observer
‎09-02-2022 03:34 AM

Tried also this config.  Still no result.

 

props.conf
[mscs:azure:eventhub]
TRANSFORMS-sourcetype_azure_ad_audit_eventhub = azure_ad_audit_eventhub
TRANSFORMS-sourcetype_azure_ad_signin_eventhub = azure_ad_signin_eventhub

transforms.conf

[azure_ad_signin_eventhub]
REGEX = "category":"SignInLogs"
FORMAT = sourcetype::azure:ad_signin:eventhub
DEST_KEY = MetaData:Sourcetype

[azure_ad_audit_eventhub]
REGEX = "category":"AuditLogs"
FORMAT = sourcetype::azure:ad_audit:eventhub
DEST_KEY = MetaData:Sourcetype

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...