In my environment we're currently ingesting events from several data sources (proxy, ips) that use Common Event Format (CEF). Ever since finding the CEF App for Splunk, i've assigned sourcetype=cefevents to all of these data feeds. It's been quite nice, since all of the logic for parsing out the key/value pairs in embedded in the Splunk App.
Just recently i've been adding field aliases to various non CEF sourcetypes in attempt to conform to the Splunk Common Information Model... easy. This afternoon when i was trying to do this same thing for sourcetype=cefevents, i realized that i wouldn't be able to vary the field aliasing per CEF data source (proxy,ips).
For instance, The proxy logs use a field named cs4 to store the event referrer url string, and the ids logs use cs4 to store the mac address of an applicable device. If i alias cs4 to a field named http_referrer, the alias would be misleading when viewing any IDS events.
Is there any type of sourcetype inheritance that i can use in Splunk? I'd like to create a proxy sourcetype and an ids sourcetype that both use the existing logic from the CEF Splunk App. I don't really like the idea of copying the logic from the CEF Splunk App into each new CEF sourcetype i create. Data duplication, ick.
--edit - I'm currently using Splunk Enterprise 5.0.4.
-A
for posterity... this is a challenging situation because sourcetype is one of the few things that gets set at index time. I forget now if we later added a capability to override at search time or people just started using it because computers get faster, but the realistic use case in early 2015 is to just override your sourcetype to what you want with props and transforms. This is required as often as not, to make sense of earlier decisions. I can't find the quote right now, but someone smart said something like "every mess was made one sensible decision at a time".
Did you ever find a solution for this? I'm curious about the same 😞