topic Does Splunk Add-on for Cisco ASA change the sourcetype for those logs then on and can it change the sourcetype for logs already indexed? in All Apps and Add-ons

Does Splunk Add-on for Cisco ASA change the sourcetype for those logs then on and can it change the sourcetype for logs already indexed?

lancasterad — Wed, 15 Oct 2014 19:52:13 GMT

When you install the Splunk add-on for Cisco ASA does it change the sourcetype for those logs going forward? Also, can it change the sourcetype for logs already indexed?

Re: Does Splunk Add-on for Cisco ASA change the sourcetype for those logs then on and can it change the sourcetype for logs already indexed?

jlanders — Wed, 15 Oct 2014 20:47:35 GMT

If I remember correctly, the props.conf file included with this app uses the "rename=" function. This is a search-time rename so if you have a sourcetype named "foo" and you created this stanza:

[foo]
rename = bar

From now on, you could search "sourcetype=bar" for ALL data indexed of the original sourcetype "foo" because it is a search-time transformation. The original sourcetype should be available in _sourcetype.

You can reference this doc: http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Propsconf

Re: Does Splunk Add-on for Cisco ASA change the sourcetype for those logs then on and can it change the sourcetype for logs already indexed?

JimDeich — Mon, 28 Sep 2020 19:16:53 GMT

I don't find that rename clause in the app.

$ pwd
/home/jimd/splunkTAasa/Splunk_TA_cisco-asa/default
$ grep -i rename props.conf
$