https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156814#M31783 <P>It was never actually "commisioned" to begin with. It is fallout from the way Splunk processes the <CODE>host::</CODE>, <CODE>source::</CODE>, <CODE>rule::</CODE>, <CODE>delayedrule::</CODE> directives. There is a reason Splunk is removing this <CODE>hack</CODE> from all official TAs and Apps.</P> Fri, 07 Aug 2015 14:32:07 GMT alacercogitatus 2015-08-07T14:32:07Z https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156810#M31779 <P>Hi,</P> <P>is it possible to define field aliases, calculated fields, or automatic lookups for multiple sourcetypes? It would be great to avoid creating a configuration for every sourcetype itself. Wildcards don't help here.</P> <P>Best</P> <P>Heinz</P> Fri, 07 Aug 2015 07:44:46 GMT https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156810#M31779 HeinzWaescher 2015-08-07T07:44:46Z https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156811#M31780 <P>Actually, there is an undocumented wildcard syntax for <CODE>props.conf</CODE> ; it works like this:</P> <PRE><CODE>[(?:::){0}SourcetypePrefxTextHere*] </CODE></PRE> <P>So this matches anything that starts with <CODE>SourcetypePrefixTextHere</CODE> and matches will be processed in this <CODE>props.conf</CODE> stanza.</P> Fri, 07 Aug 2015 13:53:26 GMT https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156811#M31780 woodcock 2015-08-07T13:53:26Z https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156812#M31781 <P>No, you cannot have wildcarded sourcetype configurations. As @woodcock mentioned, there is a hack, a really messy hack. It is undocumented for many reasons.</P> <P>You should not use it for these reasons:</P> <OL> <LI>This <EM>feature</EM> is not a <STRONG>feature</STRONG></LI> <LI>It is not supported</LI> <LI>It is not QA'ed</LI> <LI>It is not guaranteed to exist in next release</LI> <LI>Performance impacts at scale</LI> <LI>Adds complexity to troubleshooting and future development</LI> </OL> <P>Here is the blog post where this stems from <A href="http://blogs.splunk.com/2014/07/31/quick-tip-wildcard-sourcetypes-in-props-conf/">http://blogs.splunk.com/2014/07/31/quick-tip-wildcard-sourcetypes-in-props-conf/</A><BR /> Additionally - @jrodman says not to use it, and he would know.</P> Fri, 07 Aug 2015 14:10:27 GMT https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156812#M31781 alacercogitatus 2015-08-07T14:10:27Z https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156813#M31782 <P>Other users have mentioned that this hack was actually suggested to them by Splunk personnel and I cannot see Splunk ever decommissioning it because of this. It does work and I use it in production but I do keep an eye on it.</P> Fri, 07 Aug 2015 14:23:53 GMT https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156813#M31782 woodcock 2015-08-07T14:23:53Z https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156814#M31783 <P>It was never actually "commisioned" to begin with. It is fallout from the way Splunk processes the <CODE>host::</CODE>, <CODE>source::</CODE>, <CODE>rule::</CODE>, <CODE>delayedrule::</CODE> directives. There is a reason Splunk is removing this <CODE>hack</CODE> from all official TAs and Apps.</P> Fri, 07 Aug 2015 14:32:07 GMT https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156814#M31783 alacercogitatus 2015-08-07T14:32:07Z https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156815#M31784 <P>Conceded: <CODE>decommission</CODE> was the wrong word. I should have said, "make a change that will break it".</P> Fri, 07 Aug 2015 16:47:37 GMT https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156815#M31784 woodcock 2015-08-07T16:47:37Z https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156816#M31785 <P>Thanks for your input!</P> Tue, 11 Aug 2015 07:39:57 GMT https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156816#M31785 HeinzWaescher 2015-08-11T07:39:57Z https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156817#M31786 <P>So... since 2015, has Splunk provided a way to do this? With some add-ons creating a multitude of sub-sourcetypes, this seems like a fairly compelling need. My use case is to create a transaction_id across all proofpoint sub-sourcetypes (to span across the sourcetypes all instances of qid or sendmail_id). I don't want to have to create one for every soucetype. <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> Wed, 30 Sep 2020 02:03:14 GMT https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156817#M31786 wryanthomas 2020-09-30T02:03:14Z https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156818#M31787 <P>Works in the web interface too.</P> Thu, 05 Dec 2019 01:36:50 GMT https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156818#M31787 splunkmarc 2019-12-05T01:36:50Z https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156819#M31788 <P>Thanks. Can you elaborate? What exactly did you enter in the web interface? (Maybe share a screenshot?)</P> Thu, 05 Dec 2019 13:30:14 GMT https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156819#M31788 wryanthomas 2019-12-05T13:30:14Z https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156820#M31789 <P>He means that if you go to <CODE>Settings</CODE> -&gt; <CODE>Fields</CODE> -&gt; <CODE>Calculated Fields</CODE> -&gt; <CODE>New</CODE> (or similar) and enter <CODE>(?:::){0}SourcetypePrefxTextHere*</CODE> for the <CODE>named</CODE> field under <CODE>Apply to</CODE> when <CODE>sourcetype</CODE> is selected, it will work as a wildcard.</P> Thu, 05 Dec 2019 16:20:03 GMT https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156820#M31789 woodcock 2019-12-05T16:20:03Z https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156821#M31790 <P>No, this is till the only way and it is in many Splunk apps that Splunk themselves created and support. It is rock solid and never going away.</P> Thu, 05 Dec 2019 16:21:44 GMT https://community.splunk.com/t5/Getting-Data-In/Can-we-define-multiple-sourcetypes-for-field-aliases-calculated/m-p/156821#M31790 woodcock 2019-12-05T16:21:44Z