https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Aliases/m-p/26849#M4461 <P>I don't think this is what you want to do, though the specific answer to how to alias a sourcetype is given later. It seems to me that you simply want to specify a sourcetype for a set of input files. Normally, you can simply specify one when you create the input, either in the Manager GUI, or with <CODE>sourcetype = mysourcetype</CODE> in inputs.conf, or with a sourcetype stanza based on source in props.conf.</P> <P>If you were using a Splunk forwarder that would be it. If not, you may have to use a TRANSFORM stanza to modify/set the sourcetype at index time, much as with host names: <A href="http://www.splunk.com/base/Documentation/latest/Admin/Overridedefaulthostassignments" rel="nofollow">http://www.splunk.com/base/Documentation/latest/Admin/Overridedefaulthostassignments</A></P> <P>You can rename sourcetypes in 4.x. <CODE>props.conf.spec</CODE> says:</P> <PRE><CODE>rename = &lt;string&gt; * Renames &lt;sourcetype&gt; as &lt;string&gt; * With renaming, you can search for the sourcetype with sourcetype=&lt;string&gt; * To search for the original sourcetype without renaming, use the field _sourcetype </CODE></PRE> <P>therefore, for example:</P> <PRE><CODE>[myoldsourcetype] rename = mynewsourcetype </CODE></PRE> Tue, 10 Aug 2010 13:59:44 GMT gkanapathy 2010-08-10T13:59:44Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Aliases/m-p/26848#M4460 <P>According to the documentation for Splunk version 3.x there is the ability to alias a sourcetype, however it does not appear to exist under version 4.x.</P> <P>I find myself in the position where I have many applications all logging via log4j and would like to be able to filter my searches on application type.</P> <P>I was hoping to be able to setup the forwarders via the CLI, adding the monitor statements with an explicit -sourcetype.</P> <P>The only other option I can see is to setup TAGs on each of the source statements based on filename (Can tags be managed automatically for certain sources, perhaps based on a regex?)</P> <P>Any suggestions or clarifications would be greatly appreciated.</P> <P>Regards,</P> <P>mgh</P> <P>P.S. In case it was not immediately obvious, yes I am very new to splunk.</P> Tue, 10 Aug 2010 06:32:40 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Aliases/m-p/26848#M4460 mgherman 2010-08-10T06:32:40Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Aliases/m-p/26849#M4461 <P>I don't think this is what you want to do, though the specific answer to how to alias a sourcetype is given later. It seems to me that you simply want to specify a sourcetype for a set of input files. Normally, you can simply specify one when you create the input, either in the Manager GUI, or with <CODE>sourcetype = mysourcetype</CODE> in inputs.conf, or with a sourcetype stanza based on source in props.conf.</P> <P>If you were using a Splunk forwarder that would be it. If not, you may have to use a TRANSFORM stanza to modify/set the sourcetype at index time, much as with host names: <A href="http://www.splunk.com/base/Documentation/latest/Admin/Overridedefaulthostassignments" rel="nofollow">http://www.splunk.com/base/Documentation/latest/Admin/Overridedefaulthostassignments</A></P> <P>You can rename sourcetypes in 4.x. <CODE>props.conf.spec</CODE> says:</P> <PRE><CODE>rename = &lt;string&gt; * Renames &lt;sourcetype&gt; as &lt;string&gt; * With renaming, you can search for the sourcetype with sourcetype=&lt;string&gt; * To search for the original sourcetype without renaming, use the field _sourcetype </CODE></PRE> <P>therefore, for example:</P> <PRE><CODE>[myoldsourcetype] rename = mynewsourcetype </CODE></PRE> Tue, 10 Aug 2010 13:59:44 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Aliases/m-p/26849#M4461 gkanapathy 2010-08-10T13:59:44Z