https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-and-update-a-sourcetype-using-the-REST-API/m-p/669033#M112162 <P>Turns out the required approach was different from what I had imagined, and in fact rather simpler. What I needed to do was:</P> <P>1. Load my data file (in this case a sample log file)</P> <P>2.&nbsp;Set up my index:</P> <LI-CODE lang="markup">curl -k -u &lt;user&gt;:&lt;password&gt; https://localhost:8089/servicesNS/admin/search/data/indexes -d name=&lt;index-name&gt;</LI-CODE> <P>3. Monitor the log directory, assigning to it the required source type:</P> <LI-CODE lang="markup">curl -k -u &lt;user&gt;:&lt;password&gt; https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor -d name="/path/to/my/logs" -d index=&lt;index-name&gt; -d host=&lt;host-name&gt; -d sourcetype=&lt;required-source-type&gt;</LI-CODE> <P>All events from that source will be assigned the required source type.</P> Fri, 17 Nov 2023 16:56:36 GMT Mozzieman 2023-11-17T16:56:36Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-and-update-a-sourcetype-using-the-REST-API/m-p/659077#M111463 <P>Hi,</P><P>I've been hunting through the <A title="REST API Documentation" href="https://docs.splunk.com/Documentation/Splunk/9.1.1/RESTREF/RESTprolog" target="_self">REST API Documentation</A>&nbsp;, as well as searching online, for the correct endpoint/curl request for maintaining sourcetypes, but haven't found anything. It is a trivial task using the UI, but my use case is that I want to spin up a splunk instance using a script, as part of an automated test process, so UI input won' meet the requirement.</P><P>Can anyone point me in the right direction?</P> Fri, 29 Sep 2023 13:05:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-and-update-a-sourcetype-using-the-REST-API/m-p/659077#M111463 Mozzieman 2023-09-29T13:05:50Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-and-update-a-sourcetype-using-the-REST-API/m-p/659081#M111466 <P>Given that a sourcetype is just a stanza name in a props.conf file, I think you need either the <FONT face="courier new,courier">configs/conf-props</FONT> endpoint or the <FONT face="courier new,courier">properties/props</FONT> endpoint.</P> Fri, 29 Sep 2023 13:33:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-and-update-a-sourcetype-using-the-REST-API/m-p/659081#M111466 richgalloway 2023-09-29T13:33:31Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-and-update-a-sourcetype-using-the-REST-API/m-p/659085#M111467 <P>Thanks for your swift reply! I haven't got the whole answer yet, but that certainly helps as I was not aware of how the config works. Seems like it is probably the local/props.conf file that I need to be updating, referencing <A href="https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Propsconf#Sourcetype_configuration" target="_self">this spec</A>. I will do some more research and post a full answer when I have one</P> Fri, 29 Sep 2023 14:24:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-and-update-a-sourcetype-using-the-REST-API/m-p/659085#M111467 Mozzieman 2023-09-29T14:24:55Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-and-update-a-sourcetype-using-the-REST-API/m-p/659092#M111469 <P>Yes, you should update a local config file and (almost) never a default file.</P> Fri, 29 Sep 2023 16:49:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-and-update-a-sourcetype-using-the-REST-API/m-p/659092#M111469 richgalloway 2023-09-29T16:49:59Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-and-update-a-sourcetype-using-the-REST-API/m-p/669033#M112162 <P>Turns out the required approach was different from what I had imagined, and in fact rather simpler. What I needed to do was:</P> <P>1. Load my data file (in this case a sample log file)</P> <P>2.&nbsp;Set up my index:</P> <LI-CODE lang="markup">curl -k -u &lt;user&gt;:&lt;password&gt; https://localhost:8089/servicesNS/admin/search/data/indexes -d name=&lt;index-name&gt;</LI-CODE> <P>3. Monitor the log directory, assigning to it the required source type:</P> <LI-CODE lang="markup">curl -k -u &lt;user&gt;:&lt;password&gt; https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor -d name="/path/to/my/logs" -d index=&lt;index-name&gt; -d host=&lt;host-name&gt; -d sourcetype=&lt;required-source-type&gt;</LI-CODE> <P>All events from that source will be assigned the required source type.</P> Fri, 17 Nov 2023 16:56:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-and-update-a-sourcetype-using-the-REST-API/m-p/669033#M112162 Mozzieman 2023-11-17T16:56:36Z