HUNK: How to create two different sourcetypes from...

tony_alibelli · ‎08-26-2015

I have two types of people that need to access the same data source, but one of them must access anonymized data.

I have created two applications and I tried to force the sourcetype in props.conf and transforms.conf, but Splunk merged both and only one transform is applied.

Props.conf
First App :

[source::.../user/haddadm/share/hls/commun/data/reception/access/env=homo/*/*/*]
TRANSFORMS-sourcetype = source1

Second App :

[source::.../user/haddadm/share/hls/commun/data/reception/access/env=homo/*/*/*]
TRANSFORMS-sourcetype2 = source2

Transforms :
First App :

[source2]
DEST_KEY = MetaData:Sourcetype
REGEX = .*
FORMAT = sourcetype::access2

Second App:

[source2]
DEST_KEY = MetaData:Sourcetype
REGEX = .*
FORMAT = sourcetype::access2

Can someone help me?

FritzWittwer_ol · ‎08-26-2015

One event can have only one source type, think of it as a tag which gets added upon indexing. If you need the clear and the anonymized data, I would copy the data to a second index and anonymize the data during this copy. So you can create a role which has only access to this index, and thus only to the anonymized data.
If it is not that important, you could create an app which does not show the clear data, create a restricted role for this app so it has access to this index, but can not execute any free from search. Then grant only this app to a certain role. But if one user has an additional role which allows access to the search app, then this user is able to search the index and see the clear data, something you probably don't want.

HUNK: How to create two different sourcetypes from the same source (HDFS) in two dedicated apps?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes