Hope you all have faced this situation.. We got incoming mixed data from a single source (eg source=my_application.log) . This currently is parsed at arrival as sourcetype=my:application
. But this contains valuable information of application:audit
and application:transactions
for example.
Most of the search-time extractions are similar for audit & transactions. But currently I have to copy all of the logic on each sourcetype which is pure duplication of code.
Any ideas/tricks to ensure the search-time extractions done on parent-sourcetype can be inherited to child sourcetypes?
Expecting something like below
[my:application]
# all common extractions here
## Hope to inherit all work done in above sourcetype
[my:application:audit]
# some very specific extractions for audit only
[my:application:transaction]
# some very specific extractions for txns
check Palo Alto TA (props.conf) for detailed description on how to solve your problem. so your example would look something like this below.
[my:application]
# all common extractions here
[my:application:audit]
# some very specific extractions for audit only
[my:application:transaction]
# some very specific extractions for txns
hi, this didn't do for me.
Since Transformations happen at indextime, how can Search Head (where search-time extractions) know to apply the search-time extractions for another sourcetype?
Hi,
have you tried to copy your props.conf on both systems (index and search head)?
Hi
Transformation works also on search time, but you must have those definitions on search head layers (just like fields.conf).
T. Ismo
You can rename sourcetypes as per: https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Renamesourcetypes.
I usually approach this using a transforms to set sourcetype at ingest, though not positive that would be of most use to you. Is it possible to post sample events scrubbed of course:))?
I liked this idea. I feel its bit childish as per the document, but a new way. thanks for that.