https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280107#M53614 <P>You will need to change the sourcetype on the host machine(s) where the forwarder is installed on. You will edit the <CODE>inputs.conf</CODE> and change the sourcetype there </P> <P>What's the name of the app and which machine did you install the app on? I'm assuming you will need it installed on the indexer since that does the parsing.. </P> Mon, 25 Jul 2016 17:05:47 GMT skoelpin 2016-07-25T17:05:47Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280105#M53612 <P>I have a logs stored in splunk and they are of sourcetype=test, but I recently found this app that parses these type of logs but it needs a different sourcetype (sourcetype=good_type) to parse them. I tried sourcetype renaming but it only changed the name of the sourcetype but the logs did not get parsed by the app.</P> Mon, 25 Jul 2016 15:47:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280105#M53612 mkudejim 2016-07-25T15:47:40Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280106#M53613 <P>You would need to update the inputs.conf using which the data is collected to change the sourcetype from test to good_type (recommended). In order for new sourcetype parsing to take place, it has to apply before it's indexed.</P> Mon, 25 Jul 2016 17:05:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280106#M53613 somesoni2 2016-07-25T17:05:38Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280107#M53614 <P>You will need to change the sourcetype on the host machine(s) where the forwarder is installed on. You will edit the <CODE>inputs.conf</CODE> and change the sourcetype there </P> <P>What's the name of the app and which machine did you install the app on? I'm assuming you will need it installed on the indexer since that does the parsing.. </P> Mon, 25 Jul 2016 17:05:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280107#M53614 skoelpin 2016-07-25T17:05:47Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280108#M53615 <P>After setting the new sourcetype, I assume you want to re-index the data, right? It means running the soft delete using <CODE>| delete</CODE> for this data and clearing the caching in the <CODE>fishbucket</CODE> - definitely at the forwarder level but potentially also at the index level.</P> <P>Then when re-indexing and having the modified <CODE>inputs.conf</CODE>, you should be fine.</P> Mon, 25 Jul 2016 17:20:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280108#M53615 ddrillic 2016-07-25T17:20:45Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280109#M53616 <P>It's TA for Symantec Endpoint Protection (syslog), I installed the app on the search head and the forwarder, I would need to install it on the indexer right?</P> Mon, 25 Jul 2016 17:34:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280109#M53616 mkudejim 2016-07-25T17:34:15Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280110#M53617 <P>Are you using Universal Forwarders or a Heavy Forwarder? </P> <P>Universal forwarders are unable to parse data, they can only forward data to the indexer which will then parse it. So for this app to work, it will need to be on the indexer and you will need to change your sourcetype name on the forwarder in the <CODE>inputs.conf</CODE> file.</P> <P>So go onto one of your forwarders to test this and go to </P> <P><CODE>Splunk/etc/system/local/inputs.conf</CODE> and change your sourcetype </P> Mon, 25 Jul 2016 17:49:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280110#M53617 skoelpin 2016-07-25T17:49:23Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280111#M53618 <P>would I add a stanza like this one to inputs.conf to change the sourcetype?</P> <P>[test]<BR /> rename=good_type</P> Mon, 25 Jul 2016 18:22:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280111#M53618 mkudejim 2016-07-25T18:22:43Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280112#M53619 <P>Your stanza in <CODE>inputs.conf</CODE> should look like this</P> <P>Make sure to put in the hostname of the machine, the path you want to monitor, and the index you want this to go into.. Also make sure you restart the forwarder service after making these changes</P> <PRE><CODE>[default] host = SERVERNAME [monitor://PATH_NAME] disabled = false sourcetype = good_type index = YOUR INDEX </CODE></PRE> Mon, 25 Jul 2016 18:36:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280112#M53619 skoelpin 2016-07-25T18:36:45Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280113#M53620 <P>Were you able to get this going? If this helped then can you accept/like the answer</P> Tue, 26 Jul 2016 13:50:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-make-stored-logs-be-parsed-according-to-a-diffrent/m-p/280113#M53620 skoelpin 2016-07-26T13:50:05Z