https://community.splunk.com/t5/Splunk-Search/How-to-reset-sourcetype-and-do-field-extractions-using-props/m-p/294026#M88762 <P>Resetting it at the Indexer is "better" because it actually <EM>changes</EM> the sourcetype but you can also <EM>pretend</EM> that the sourcetype has been changed and refer to it by a new name by using the sourcetype <CODE>rename</CODE> configuration on the Search Head:</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Renamesourcetypes">https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Renamesourcetypes</A></P> Wed, 17 May 2017 01:43:23 GMT woodcock 2017-05-17T01:43:23Z https://community.splunk.com/t5/Splunk-Search/How-to-reset-sourcetype-and-do-field-extractions-using-props/m-p/294024#M88760 <P>My Splunk setup has 3 layers,</P> <OL> <LI>Forwarders - 50+</LI> <LI>Indexers - 4, running on different machines</LI> <LI>Search Heads - 3, running on different machines</LI> </OL> <P><STRONG><EM>Question 1: Resetting the sourcetype</EM></STRONG><BR /> Logs are being assigned the sourcetype set in inputs.conf of the forwarders. I want to change it to a different sourcetype.</P> <P>Since the forwarders are being owned by a different team and they are not willing to make changes, I will need to reset the sourcetype using props.conf and transforms.conf.</P> <P><STRONG>Can I reset the sourcetype at the Search Head? Or should I do it at the indexer? - Which is better?</STRONG></P> <P><STRONG><EM>Question 2: Fields extractions</EM></STRONG><BR /> I need to extract four fields using props.conf.<BR /> <STRONG>Can I do these extractions at the Search Head (the preferred option)? Or should I do it at the indexer only?</STRONG></P> <P>Note: I am using Splunk Enterprise</P> <P>Thanks,<BR /> Deepak</P> Mon, 15 May 2017 18:03:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-reset-sourcetype-and-do-field-extractions-using-props/m-p/294024#M88760 deepak02 2017-05-15T18:03:21Z https://community.splunk.com/t5/Splunk-Search/How-to-reset-sourcetype-and-do-field-extractions-using-props/m-p/294025#M88761 <P>Hello @deepak02</P> <P>A) For sourcetype renaming you can do this.<BR /> Add to your <CODE>props.conf</CODE> on your indexer/s.</P> <PRE><CODE>[your_sourcetype] TRANSFORMS-sourcetype_renaming = renaming_old_sourcetype </CODE></PRE> <P>Add to your <CODE>transforms.conf</CODE> on your indexer/s.</P> <PRE><CODE>[renaming_old_sourcetype] SOURCE_KEY = MetaData:Source REGEX = &lt;regex matching your source of events&gt; DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::&lt;new_sourcetype&gt; </CODE></PRE> <P>B) You should read this pages of Splunk documentation: <A href="http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#When_to_use_inline_or_transform_extractions">http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#When_to_use_inline_or_transform_extractions</A></P> <P>Hope it helps.</P> Mon, 15 May 2017 19:11:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-reset-sourcetype-and-do-field-extractions-using-props/m-p/294025#M88761 alemarzu 2017-05-15T19:11:31Z https://community.splunk.com/t5/Splunk-Search/How-to-reset-sourcetype-and-do-field-extractions-using-props/m-p/294026#M88762 <P>Resetting it at the Indexer is "better" because it actually <EM>changes</EM> the sourcetype but you can also <EM>pretend</EM> that the sourcetype has been changed and refer to it by a new name by using the sourcetype <CODE>rename</CODE> configuration on the Search Head:</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Renamesourcetypes">https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Renamesourcetypes</A></P> Wed, 17 May 2017 01:43:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-reset-sourcetype-and-do-field-extractions-using-props/m-p/294026#M88762 woodcock 2017-05-17T01:43:23Z