https://community.splunk.com/t5/Getting-Data-In/Retiring-an-app-how-do-I-combine-sourcetypes-without-breaking/m-p/136268#M28069 <P>Hello</P> <P>I have two apps apache_forwarder and apache_unified_forwarder. I am getting ready to retire the apache_unified_forwarder app but there are a few issues in inputs.conf that need to be resolved first.</P> <P>I need to combine the sourcetypes. How would I combine this stanza without breaking sourcetyping or duplicating data:</P> <PRE><CODE>[monitor:///var/log/httpd/ssl_access_log] disabled = false sourcetype = s_apache index = apache_access_logs recursive=false whitelist = /ssl_access_log$ followSymlink = false </CODE></PRE> <P>into </P> <PRE><CODE>[monitor:///var/log/httpd/access_log] disabled = false followTail = 0 sourcetype = access_combined index = apache_access_logs recursive=false followSymlink = false whitelist=access_log$ blacklist=ssl [monitor:///var/log/httpd/error_log] disabled = false followTail = 0 sourcetype = apache_error index = apache_access_logs recursive=false followSymlink = false [monitor:///var/log/httpd/ssl_access_log] disabled = false followTail = 0 sourcetype = apache_combined index = apache_access_logs recursive=false followSymlink = false whitelist=ssl_access_log$ [monitor:///var/log/httpd/mod_jk.log] disabled = false followTail = 0 sourcetype = mod_jk index = mod_jk recursive=false followSymlink = false </CODE></PRE> Mon, 28 Sep 2020 20:07:49 GMT tkwaller 2020-09-28T20:07:49Z https://community.splunk.com/t5/Getting-Data-In/Retiring-an-app-how-do-I-combine-sourcetypes-without-breaking/m-p/136268#M28069 <P>Hello</P> <P>I have two apps apache_forwarder and apache_unified_forwarder. I am getting ready to retire the apache_unified_forwarder app but there are a few issues in inputs.conf that need to be resolved first.</P> <P>I need to combine the sourcetypes. How would I combine this stanza without breaking sourcetyping or duplicating data:</P> <PRE><CODE>[monitor:///var/log/httpd/ssl_access_log] disabled = false sourcetype = s_apache index = apache_access_logs recursive=false whitelist = /ssl_access_log$ followSymlink = false </CODE></PRE> <P>into </P> <PRE><CODE>[monitor:///var/log/httpd/access_log] disabled = false followTail = 0 sourcetype = access_combined index = apache_access_logs recursive=false followSymlink = false whitelist=access_log$ blacklist=ssl [monitor:///var/log/httpd/error_log] disabled = false followTail = 0 sourcetype = apache_error index = apache_access_logs recursive=false followSymlink = false [monitor:///var/log/httpd/ssl_access_log] disabled = false followTail = 0 sourcetype = apache_combined index = apache_access_logs recursive=false followSymlink = false whitelist=ssl_access_log$ [monitor:///var/log/httpd/mod_jk.log] disabled = false followTail = 0 sourcetype = mod_jk index = mod_jk recursive=false followSymlink = false </CODE></PRE> Mon, 28 Sep 2020 20:07:49 GMT https://community.splunk.com/t5/Getting-Data-In/Retiring-an-app-how-do-I-combine-sourcetypes-without-breaking/m-p/136268#M28069 tkwaller 2020-09-28T20:07:49Z https://community.splunk.com/t5/Getting-Data-In/Retiring-an-app-how-do-I-combine-sourcetypes-without-breaking/m-p/136269#M28070 <P>I am sure you can figure something out using <CODE>sourcetype renaming</CODE> which allows you to see <EM>both</EM> the original as field <CODE>_sourcetype</CODE> and the renamed one as field <CODE>sourcetype</CODE>:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Renamesourcetypes">http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Renamesourcetypes</A></P> Thu, 04 Jun 2015 19:11:46 GMT https://community.splunk.com/t5/Getting-Data-In/Retiring-an-app-how-do-I-combine-sourcetypes-without-breaking/m-p/136269#M28070 woodcock 2015-06-04T19:11:46Z https://community.splunk.com/t5/Getting-Data-In/Retiring-an-app-how-do-I-combine-sourcetypes-without-breaking/m-p/136270#M28071 <P>Yes I found that, the problem is that any savedsearch/dashboard/alert that uses sourcetype=whatever will have to be found and changed.</P> <P>Thanks for the link, much appreciated.</P> Thu, 04 Jun 2015 19:51:43 GMT https://community.splunk.com/t5/Getting-Data-In/Retiring-an-app-how-do-I-combine-sourcetypes-without-breaking/m-p/136270#M28071 tkwaller 2015-06-04T19:51:43Z