https://community.splunk.com/t5/Getting-Data-In/Sourcetype-alias/m-p/384219#M95207 <P>There are few options you can consider<BR /> 1. sourcetype aliasing is NOT a good option. This is because it is an sourcetype is indextime field and fundamental data transforms work off the sourcetype. But you can have two sourcetypes alongside till time runs ahead and the old sourcetype data is deleted in say 1 or 2 years? There is no issue in using old sourcetype and new sourcetype , but users may need to put an OR condition.<BR /> 2. Create an eventtype something like this in eventtypes.conf</P> <PRE><CODE>[aws_cloudtrail] search = (sourcetype=yourOldSourcetype OR sourcetype=aws:cloudtrail) </CODE></PRE> <P>and in searches , just use <CODE>eventtype=aws_cloudtrail</CODE>. This makes it transparent to user</P> <P>3) this is cumbersome option of reindexing the old sourcetype to new sourcetype. More licensing, more work etc.</P> Wed, 22 May 2019 07:43:29 GMT koshyk 2019-05-22T07:43:29Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-alias/m-p/384218#M95206 <P>Hi,</P> <P>We have been using a custom method to get cloudtrail to Splunk by using log files on a server that has the Cloudtrail data. This custom method was setup sometime back and has been using a sourcetype that is different to the one that comes via the AWS Add On ("aws:cloudtrail"). As we are now planning to migrate off this method and move to AWS Add On, is there any way that we can still use the old sourcetype along with "aws:cloudtrail" by sourcetype aliasing, if that is an option?</P> <P>Thanks.</P> <P>AKN</P> Wed, 22 May 2019 06:56:22 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-alias/m-p/384218#M95206 aknsun 2019-05-22T06:56:22Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-alias/m-p/384219#M95207 <P>There are few options you can consider<BR /> 1. sourcetype aliasing is NOT a good option. This is because it is an sourcetype is indextime field and fundamental data transforms work off the sourcetype. But you can have two sourcetypes alongside till time runs ahead and the old sourcetype data is deleted in say 1 or 2 years? There is no issue in using old sourcetype and new sourcetype , but users may need to put an OR condition.<BR /> 2. Create an eventtype something like this in eventtypes.conf</P> <PRE><CODE>[aws_cloudtrail] search = (sourcetype=yourOldSourcetype OR sourcetype=aws:cloudtrail) </CODE></PRE> <P>and in searches , just use <CODE>eventtype=aws_cloudtrail</CODE>. This makes it transparent to user</P> <P>3) this is cumbersome option of reindexing the old sourcetype to new sourcetype. More licensing, more work etc.</P> Wed, 22 May 2019 07:43:29 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-alias/m-p/384219#M95207 koshyk 2019-05-22T07:43:29Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-alias/m-p/384220#M95208 <P>It's not clear if they are (and I suspect that that they aren't if they're coming out of log files), but <STRONG>if</STRONG> your old style events are in the same format as the aws:cloudtrail events then you should be able to use a rename=aws:cloudtrail in the props.conf on your Search Head(s).</P> <P>[old_sourcetype]<BR /> rename = aws:cloudtrail</P> <P>Ref: <A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Renamesourcetypes">https://docs.splunk.com/Documentation/Splunk/latest/Data/Renamesourcetypes</A></P> Wed, 22 May 2019 07:53:32 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-alias/m-p/384220#M95208 chris_barrett 2019-05-22T07:53:32Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-alias/m-p/384221#M95209 <P>Thanks @koshyk. Let me try out this option.</P> Wed, 22 May 2019 08:29:41 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-alias/m-p/384221#M95209 aknsun 2019-05-22T08:29:41Z https://community.splunk.com/t5/Getting-Data-In/Sourcetype-alias/m-p/384222#M95210 <P>Hi @chris_barrett. Thanks for the suggestion.</P> Wed, 22 May 2019 08:30:51 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetype-alias/m-p/384222#M95210 aknsun 2019-05-22T08:30:51Z