Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About sudha_krish
sudha_krish
Explorer
Member since:
03-21-2025
Thursday
Community Statistics
| Posts | 9 |
| Solutions | 1 |
| Karma Given | 8 |
| Karma Received | 0 |
| Member Since | 03-21-2025 |
Activity Feed
- Posted Content-Security-Policy HTTP Header missing on splunk web request on Security. Thursday
- Karma Re: how can I keep the original meta when cloning the event. for PickleRick. 07-16-2025 01:06 AM
- Posted Re: how can I keep the original meta when cloning the event. on Getting Data In. 07-15-2025 10:05 PM
- Karma Re: how can I keep the original meta when cloning the event. for livehybrid. 07-15-2025 08:33 PM
- Karma Re: Can forward logs to third party server from HF over HTTP for gcusello. 07-15-2025 11:40 AM
- Karma Re: Can forward logs to third party server from HF over HTTP for livehybrid. 07-15-2025 11:40 AM
- Karma Re: Can forward logs to third party server from HF over HTTP for gcusello. 07-15-2025 11:40 AM
- Karma Re: Can forward logs to third party server from HF over HTTP for isoutamo. 07-15-2025 11:40 AM
- Posted Re: how can I keep the original meta when cloning the event. on Getting Data In. 07-15-2025 11:39 AM
- Posted how can I keep the original meta when cloning the event. on Getting Data In. 07-15-2025 11:37 AM
- Karma Re: Can forward logs to third party server from HF over HTTP for PickleRick. 07-15-2025 01:57 AM
- Posted Re: Can forward logs to third party server from HF over HTTP on All Apps and Add-ons. 05-11-2025 10:34 PM
- Tagged Re: Can forward logs to third party server from HF over HTTP on All Apps and Add-ons. 05-11-2025 10:34 PM
- Posted Re: Can forward logs to third party server from HF over HTTP on All Apps and Add-ons. 05-11-2025 10:30 PM
- Karma Re: Can forward logs to third party server from HF over HTTP for PickleRick. 05-11-2025 10:26 PM
- Tagged Seeking Solutions for Forwarding Splunk Metadata to Third-Party Systems Over TCP/HTTP on Splunk Enterprise. 05-11-2025 10:21 PM
- Posted Seeking Solutions for Forwarding Splunk Metadata to Third-Party Systems Over TCP/HTTP on Splunk Enterprise. 05-11-2025 10:20 PM
- Posted Can forward logs to third party server from HF over HTTP on All Apps and Add-ons. 04-28-2025 11:55 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
Thursday
The Content-Security-Policy (CSP) HTTP header is missing on port 8000. I do not see the Content-Security-Policy in the Splunk Web response headers. How can I enable and configure a Content Security Policy for the Splunk Web UI?
... View more
Labels
- Labels:
-
administration
-
configuration
07-15-2025
10:05 PM
Here is my props and transforms props.conf
[default]
TRANSFORMS-save_original_sourcetype = save_original_sourcetype
TRANSFORMS-clone_for_thirdparty = clone_for_thirdparty
[data_to_thirdparty]
SHOULD_LINEMERGE = true
TRANSFORMS-updateFields = sourcetype_raw_updated
TRANSFORMS-route_thirdparty = route_thirdparty
transforms.conf
# 1. Save original sourcetype as a field (for use in the clone)
[save_original_sourcetype]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (.+)
FORMAT = orig_sourcetype::$1
WRITE_META = true
# 2. Clone only events from vme_ops_prod to sourcetype=data_to_thirdparty
[clone_for_thirdparty]
SOURCE_KEY = _MetaData:Index
REGEX = ^test_np$
DEST_KEY = MetaData:Sourcetype
CLONE_SOURCETYPE = data_to_thirdparty
WRITE_META = true
# 3. Meta-data transforms for the clone
[sourcetype_raw_updated]
SOURCE_KEY=MetaData:orig_sourcetype
REGEX=^orig_sourcetype::(.*)$
FORMAT = $1##$0
DEST_KEY=_raw
# 4. Route the cloned event ONLY to thirdparty
[route_thirdparty]
SOURCE_KEY = _MetaData:Index
REGEX = (^test_np.*)
DEST_KEY = _TCP_ROUTING
FORMAT = dev_thirdparty I'm sending logs (no cooked data) to thirdpartyserver over TCP without disturbing existing flow. so I just cloned the event and adding original sourcetype to the cloned event and sending to thirdparty output group. now the issue here is I can't find the original source type.
... View more
07-15-2025
11:39 AM
I just want to add the orig_sourcetype to the cloned event with original sourcetype value.
... View more
07-15-2025
11:37 AM
I'm cloning the event and before cloning extracting sourcetype to use later. transforms.conf
[copy_original_sourcetype]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (.+)
FORMAT = orig_sourcetype::$1
WRITE_META = true
[clone_for_thirdparty]
SOURCE_KEY = _MetaData:Index
REGEX = ^test_np$
DEST_KEY = MetaData:Sourcetype
CLONE_SOURCETYPE = data_to_thirdparty
WRITE_META = true
[sourcetype_raw_updated]
SOURCE_KEY=MetaData:orig_sourcetype
REGEX=^orig_sourcetype::(.*)$
FORMAT = $1##$0
DEST_KEY=_raw But when I try to retrieve extracted original value I'm getting nothing. Is there any way to persist original sourcetype ? @PickleRick @isoutamo @gcusello
... View more
Labels
- Labels:
-
heavy forwarder
-
props.conf
-
transforms.conf
05-11-2025
10:34 PM
@livehybrid @PickleRick @gcusello Thanks for your responses. I found in the Splunk documentation that forwarding logs to third-party systems is typically done over TCP. I tried using TCP, but I did not receive Splunk metadata like host, sourcetype, source, and index on the third-party system.
... View more
- Tags:
- splunk-enterprise
05-11-2025
10:30 PM
Thanks for your answer, I found in the Splunk documentation that forwarding logs to third-party systems is typically done over TCP. I tried using TCP, but I did not receive Splunk metadata like host, sourcetype, source, and index on the third-party system
... View more
05-11-2025
10:20 PM
I want to forward logs to a third-party system over HTTP, but I found in the Splunk documentation that forwarding logs to third-party systems is typically done over TCP. I tried using TCP, but I did not receive Splunk metadata like host, sourcetype, source, and index on the third-party system. Is it possible to forward logs with metadata to a third-party system over HTTP? If not, how can I get Splunk metadata over TCP? Can anyone suggest a solution? @splunk @splunkent2 @Splunk9 @msplunk @splunk0
... View more
- Tags:
- splunk-enterprise
Labels
- Labels:
-
using Splunk Enterprise
04-28-2025
11:55 PM
I want to forward the logs to third party server from heavy forwarder over http. Here is my outputs.conf [httpout] defaultGroup = otel_hec_group [httpout:otel_hec_group] #server = thirdparty_server:8443 uri = http://thirdparty_server:8443 useSSL = false sourcetype = hf_to_otel disabled = false sslVerifyServerCert = false headers = {"Host": "hf_server", "Content-Type": "application/json"} timeout = 30 but i don't receive logs in third party server and i don't find any error in splunkd logs aswell. @SplunkSE
... View more
Labels
- Labels:
-
configuration
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Thursday
|
