topic Re: How do change sourcetype in Splunk Enterprise

How do change sourcetype

sureshmani04 — Sun, 13 Jul 2025 18:20:22 GMT

I am looking for change the source type for this apps Splunk Add-on for Microsoft Security

Re: How do change sourcetype

marnall — Sun, 13 Jul 2025 19:00:24 GMT

When changing the sourcetype, please note that any knowledge objects (field extractions, calculated fields, etc) in the app that apply to the previous sourcetype will then no longer apply, unless you then modify them to apply to the new sourcetype.

It is likely possible to configure the app using the webUI to make the /local/inputs.conf stanzas, which could then be edited to use a different sourcetype.

Another option would be to use transforms to change the sourcetype:

You can put these config files in the local directory of the app (E.g. /opt/splunk/etc/apps/Splunk_TA_MS_Security/local) in the heavy forwarder where you installed the app, or append their contents to existing files of the same name in the local directory.

props.conf

# e.g. if you want to change ms365:defender:incident to "ms:new:sourcetype:value". Add more stanzas for each sourcetype to change. [ms365:defender:incident] TRANSFORMS-ChangeSourceType = ChangeSourceType

transforms.conf

[ChangeSourceType] #custom regex can be set here to apply to matching events REGEX = .* FORMAT = sourcetype::"ms:new:sourcetype:value"

Ref:
https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

Re: How do change sourcetype

inventsekar — Mon, 14 Jul 2025 02:45:29 GMT

Hi @sureshmani04

1) do you want to change the sourcetype of the already indexed data

2) new data that is yet to be onboarded

for the case 1, the answer is no. once the data is ingested, we can not alter / modify anything to the indexed data.

for the case 2, you can refer the previous reply. pls note that, most of the times you need not change/modify the sourcetype of an app/add-on, unless you have some specific requirements, thanks.

Re: How do change sourcetype

isoutamo — Mon, 14 Jul 2025 08:01:31 GMT

Could you describe what is your issue which you are trying to solve? Not the action how you are solving it!

Re: How do change sourcetype

PickleRick — Mon, 14 Jul 2025 09:32:05 GMT

What is the problem you are trying to solve? Not the immediate technical "problem" - how to change sourcetype - but the business one. Why do you want to do that?

Re: How do change sourcetype

inventsekar — Tue, 15 Jul 2025 09:17:49 GMT

Hi @sureshmani04

hope you got the solution.. if so, could you pls mark the question as solved, so it will be moved from unanswered to solved. thanks. karma / upvotes are always welcomed, thanks.