Override source types on a per-event basis
You can override source types on a per-event basis on the Splunk platform by using a heavy forwarder or Edge Processor to assign the events to a new source type and sending those events to Splunk Cloud Platform. On Splunk Enterprise, you can override source types directly on the instance itself.
This source type assignment happens at parse-time, after the platform has made its initial source type assignment. For more information about this process, see How the Splunk platform assigns source types in Why source types matter.
Since this type of override occurs at parse-time, the override works only on an indexer, heavy forwarder or Edge Processor. It doesn't work on a universal forwarder or directly on Splunk Cloud Platform. See Configuration parameters and the data pipeline in the Admin Manual for more information on what configurations are available at different points in the input, parsing, and indexing processes.
To configure per-event overrides, use the transforms.conf and props.conf configuration files in tandem to specify the events that must use a new source type, along with the source type that the events must use.
For information about configuring basic source type overrides for event data that comes from specific inputs or that has a particular source, see Override automatic source type assignment.
Configuration
To configure per-event overrides, create one stanza in the transforms.conf file and another in the props.conf file. Edit these files in the $SPLUNK_HOME/etc/system/local/ directory or in your own custom application directory at $SPLUNK_HOME/etc/apps/. For more information about configuration files in general, see About configuration files in the Admin Manual.
Edit the transforms.conf file
- Open $SPLUNK_HOME/etc/system/local/transforms.conf file for editing.
- Create a stanza in transforms.conf that follows this syntax:
[<unique_stanza_name>] REGEX = <your_regex> FORMAT = sourcetype::<your_custom_sourcetype_value> DEST_KEY = MetaData:Sourcetype
- Save the file and close it.
In the file, the settings have the following meaning:
<unique_stanza_name>
means that it involves a source type. You'll use this name later in the props.conf stanza.<your_regex>
is a regular expression that identifies the events that you want to apply a custom source type to, such as events that carry a particular host name or other field value.<your_custom_sourcetype_value>
is the source type that you want to apply to the events that<your_regex>
selected.
You can test regular expressions by using them in searches with the rex
search command. See rex in the Search Reference.
Edit the props.conf file
- Open $SPLUNK_HOME/etc/system/local/props.conf.
- Create a stanza in the props.conf file that references the stanza that you specified in the transforms.conf file:
[<spec>] TRANSFORMS-<class> = <unique_stanza_name>
Refer to the following table for the meanings of each placeholder variable within this stanza:
Placeholder variable Description spec
Can be set to the following options: <sourcetype>
, or the source type of an eventhost::<host>
, where<host>
is the host value for an eventsource::<source>
, where<source>
is the source value for an event
<class>
Any unique identifier that you want to give to your transform <unique_stanza_name>
The name of the stanza you created in transforms.conf - Save the file and close it.
- Restart the Splunk platform instance.
Example: Assign a source type to events from a single input but different hosts
Suppose that you have a shared UDP input, UDP514. Your Splunk platform instance indexes a wide range of data from a number of hosts through this input. You find that you need to apply a particular source type called my_log
to data originating from three specific hosts, host1
, host2
, and host3
, reaching your instance through the UDP514 input.
To start, you can use the regular expression that Splunk software typically uses to extract the host field for syslog events. You can find it in $SPLUNK_HOME/etc/system/default/transforms.conf:
[syslog-host] REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s FORMAT = host::$1 DEST_KEY = MetaData:Host
You can modify this regular expression to match events from only the host names you want. In this example, the host names are host1
, host2
, and host3
:
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(host1|host2|host3)[\w\.\-]*\]?\s
Now you can use the modified regular expression in a transform that applies the my_log
source type to events that come from those three hosts:
[set_sourcetype_my_log_for_some_hosts] REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(host1|host2|host3)[\w\.\-]*\]?\s FORMAT = sourcetype::my_log DEST_KEY = MetaData:Sourcetype
Then you can specify that transform in a props.conf stanza that identifies the specific input for the events:
[source::udp:514] TRANSFORMS-changesourcetype = set_sourcetype_my_log_for_some_hosts
List of pretrained source types | Create source types |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.2, 9.3.1, 9.4.0
Feedback submitted, thanks!