All Apps and Add-ons

Is it possible to change the sourcetype in the app from cisco:ios to ciscoios? If not, how would I configure the app to work with our existing sourcetype?

jaywilwk
Engager
0 Karma

mikaelbje
Motivator

I would go for sourcetype renaming for a short term solution. Some of the queries in the app reference an eventtype, others search for sourcetype directly. I will correct this in the next version of the app so that you only have to change the eventtype definition. If you are using the built-in transform to transform the sourcetype to cisco:ios from syslog you will also need to change that one place in transforms.conf

0 Karma

mikaelbje
Motivator

Version 2.2.2 of the app now only relies on eventtypes. If you'd like to use a different sourcetype you can do the following:

In TA-cisco_ios/local/

Create eventtypes.conf
Add:

[cisco_ios]
search = sourcetype=YOUR_SOURCETYPE_NAME

2.2.2 is unreleased, but you can get it from my development repo at github.com/inspired

0 Karma

Runals
Motivator

I haven't used the app but the general process would be to look at the queries used and change the referenced sourcetype. In an ideal world the queries would use either a macro or eventtype where the sourcetype is defined and then the queries reference the eventtype/macro. If that isn't how this app is built I might suggest creating these structures and put them in place as you update the app so that it works for you.

For example you might have a macro like

Cisco_data
index = foo sourcetype=ciscoios

Queries

`Cisco_data` | stats count by <whatever>

A more extreme approach would be to adjust your inputs to change the name of new data and put in a sourcetype rename for your existing data (props.conf). This would probably upset any existing content using the current name. There isn't a fieldalias equivalent for a sourcetype (that I know of) where you could have 1 sourcetype have 2 sourcetype 'names'

0 Karma

lguinn2
Legend

There is exactly an equivalent for sourcetypes - it is called sourcetype renaming: http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Renamesourcetypes

0 Karma

Runals
Motivator

That is what I was referencing in terms of renaming =). I don't think of that as field aliasing in that with a field alias it is quickly apparent to users multiple fields exist. It isn't as apparent there is a different sourcetype that can be leveraged.

0 Karma

lguinn2
Legend

You could go through all the configuration files in the app, changing the sourcetype wherever it appears. But that is a pain and prone to error.

I would just create an alias. Go to Settings -> Fields -> Sourcetype renaming. Click "new" and fill in the form.
Note that you have to pick an app for this - you should probably choose the Cisco Networks Add-on. Once you have created the entry, you should set its permissions so that everyone can use it (read permission).

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...