- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk event sourcetype overide and send event bac...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk event sourcetype overide and send event back to parsing queue
I have a situation where I have to parse the data, especially timestamp extraction based on the keyword in the message.
like if event contains keyword "hello" I need to assigntimestamp from one field , if event contains "hi" I need to assign timestamp from other field during index time.
I tried to override source type based on matching keyword. But how to send the event back to parsing queue to re-assign timestamp based on new source type.
Or is there any other method achieve to assign timestamp based on keyword present in event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
remember sourcetype overwrite is done in the end of the pipeline , just as cosmetic change for the latter search time field extractions and calculations.
I would still overwrite the sourcetype like you are doing but considering your use case of timestamp, I would create an EVAL in each sourcetype definition stating that _time=fieldA in one sourcetype and the respective thing on _time=fieldB on the other one.
Any time you later search for any of the sourcetype, your time will be showing modified.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, similar post :
https://answers.splunk.com/answers/447812/per-event-sourcetype-overrides-not-actually-a-lot.html?utm...
Then anyone tried custom datetime.xml as below:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Configuredatetimexml#Create_or_modify_a_cust...
Is this something complex but feasible? or better not even try it since the words "In nearly all cases, you do not need to modify datetime.xml" ?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you post a sample of your data? That would be helpful 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk data goes only once through the parsing pipeline so there is no way to do exactly what you are asking for
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks someone tried Chaining Universal Forwarders to allow forwarding more than once.
Then, for technical discussion, can we try add an intermediate heavy forwarder (HF1) to do the event sourcetype overiding, then forward that to indexer or second heavy forwarder (HF2) to do the timestamp parsing again as per new sourcetypes? 🙂
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
