Getting Data In

How do I override source types in SplunkCloud

tkhouri
Explorer

I know that I can override source types dynamically per event based on this documentation link here: (docs.splunk.com/Documentation/Splunk/6.2.5/Data/Advancedsourcetypeoverrides)

I'm reading events from a custom source file (it's just a text file on Linux).

How do I change the source name dynamically in a SplunkCloud offering?

0 Karma
1 Solution

acharlieh
Influencer

One option, is to use a Heavy Forwarder (HF) instead of or in addition to your Universal Forwarders (UF). Either the HF could be on the origin system, OR you could have the UFs forward to the HF which in turn forwards to Splunk Cloud. The Heavy Forwarder is able to do all of the parsing steps, including per-event sourcetype overrides as you're wanting to do. (There is an exception that structured data like CSV and W3C using INDEXED_EXTRACTIONS actually has this part of parsing happen on the UF, so you would actually do this step on the UFs, but only if you were using that sort of sourcetype to begin with).

Some docs links that you might find interesting:

I am not a Splunk Cloud customer, but I believe the other option is to develop your configuration and work with support to get it installed in your Splunk Cloud indexers. but of course that's more in Splunk's control rather than yours.

View solution in original post

acharlieh
Influencer

One option, is to use a Heavy Forwarder (HF) instead of or in addition to your Universal Forwarders (UF). Either the HF could be on the origin system, OR you could have the UFs forward to the HF which in turn forwards to Splunk Cloud. The Heavy Forwarder is able to do all of the parsing steps, including per-event sourcetype overrides as you're wanting to do. (There is an exception that structured data like CSV and W3C using INDEXED_EXTRACTIONS actually has this part of parsing happen on the UF, so you would actually do this step on the UFs, but only if you were using that sort of sourcetype to begin with).

Some docs links that you might find interesting:

I am not a Splunk Cloud customer, but I believe the other option is to develop your configuration and work with support to get it installed in your Splunk Cloud indexers. but of course that's more in Splunk's control rather than yours.

tkhouri
Explorer

Thanks for the feedback - I'm not a big fan of "forwarders to forwarders", but this a (potential) option 🙂

0 Karma

acharlieh
Influencer

As I mentioned on the last line of my answer, the other option then is to open a support case to put your props and transforms into the configuration of your Splunk Cloud indexers. Per http://docs.splunk.com/Documentation/SplunkCloud/SplunkCloud/FAQs/FAQs under "What can Splunk support help me with?" the last bullet is "Modify the configuration settings of your deployment"

You'll likely still be responsible for developing the specific stanzas that you want to configure, it'd just likely take longer to take effect since you would not have as much control of when your changes are rolled out.

tkhouri
Explorer

Thanks again - I didn't quite catch that this was standard functionality from SplunkCloud.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...