All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sourcetype inheritance

w531t4
Path Finder
‎11-10-2013 02:41 PM

In my environment we're currently ingesting events from several data sources (proxy, ips) that use Common Event Format (CEF). Ever since finding the CEF App for Splunk, i've assigned sourcetype=cefevents to all of these data feeds. It's been quite nice, since all of the logic for parsing out the key/value pairs in embedded in the Splunk App.

Just recently i've been adding field aliases to various non CEF sourcetypes in attempt to conform to the Splunk Common Information Model... easy. This afternoon when i was trying to do this same thing for sourcetype=cefevents, i realized that i wouldn't be able to vary the field aliasing per CEF data source (proxy,ips).

For instance, The proxy logs use a field named cs4 to store the event referrer url string, and the ids logs use cs4 to store the mac address of an applicable device. If i alias cs4 to a field named http_referrer, the alias would be misleading when viewing any IDS events.

Is there any type of sourcetype inheritance that i can use in Splunk? I'd like to create a proxy sourcetype and an ids sourcetype that both use the existing logic from the CEF Splunk App. I don't really like the idea of copying the logic from the CEF Splunk App into each new CEF sourcetype i create. Data duplication, ick.

--edit - I'm currently using Splunk Enterprise 5.0.4.

-A

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎02-21-2015 05:42 PM

for posterity... this is a challenging situation because sourcetype is one of the few things that gets set at index time. I forget now if we later added a capability to override at search time or people just started using it because computers get faster, but the realistic use case in early 2015 is to just override your sourcetype to what you want with props and transforms. This is required as often as not, to make sense of earlier decisions. I can't find the quote right now, but someone smart said something like "every mess was made one sensible decision at a time".

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎12-30-2013 01:53 PM

Did you ever find a solution for this? I'm curious about the same 😞

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...