{"id":61006,"date":"2022-07-26T18:42:42","date_gmt":"2022-07-26T18:42:42","guid":{"rendered":"https:\/\/merikebi.warrenmyers.com\/?p=61006"},"modified":"2022-07-26T18:42:42","modified_gmt":"2022-07-26T18:42:42","slug":"answer-by-warren-for-fluentd-sending-to-splunk-hec-want-to-set-sourcetype-to-the-namespace","status":"publish","type":"post","link":"https:\/\/merikebi.warrenmyers.com\/?p=61006","title":{"rendered":"Answer by warren for Fluentd sending to Splunk HEC: Want to set sourcetype to the namespace"},"content":{"rendered":"

If you have not defined a sourcetype<\/code> in an appropriate props.conf<\/code> (and associated transforms.conf<\/code>), Splunk will try to determine the sourcetype based on heuristics<\/p>\n

Those heuristics are not generally very accurate on custom data sources<\/p>\n

Instead of trying to "programatically set the sourcetype to be the namespace from where the logs were generated", add a field whose contents indicate the namespace from which the logs are generated (eg "namespace")<\/p>\n

It’s much simpler, extends your logging more efficiently, and doesn’t require the definition of scores or hundreds or thousands of individual sourcetypes<\/p>\n

from User warren – Stack Overflow https:\/\/stackoverflow.com\/questions\/50179871\/fluentd-sending-to-splunk-hec-want-to-set-sourcetype-to-the-namespace\/73128253#73128253
\nvia IFTTT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

If you have not defined a sourcetype in an appropriate props.conf (and associated transforms.conf), Splunk will try to determine the sourcetype based on heuristics Those heuristics are not generally very accurate on custom data sources Instead of trying to "programatically set the sourcetype to be the namespace from where the logs were generated", add a …
Continue reading Answer by warren for Fluentd sending to Splunk HEC: Want to set sourcetype to the namespace<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[991],"keyring_services":[],"class_list":["post-61006","post","type-post","status-publish","format-standard","hentry","category-blih","tag-stackexchange"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/61006","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=61006"}],"version-history":[{"count":1,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/61006\/revisions"}],"predecessor-version":[{"id":61007,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/61006\/revisions\/61007"}],"wp:attachment":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=61006"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=61006"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=61006"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fkeyring_services&post=61006"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}