I would go for sourcetype renaming for a short term solution. Some of the queries in the app reference an eventtype, others search for sourcetype directly. I will correct this in the next version of the app so that you only have to change the eventtype definition. If you are using the built-in transform to transform the sourcetype to cisco:ios from syslog you will also need to change that one place in transforms.conf
Version 2.2.2 of the app now only relies on eventtypes. If you'd like to use a different sourcetype you can do the following:
In TA-cisco_ios/local/
Create eventtypes.conf
Add:
[cisco_ios]
search = sourcetype=YOUR_SOURCETYPE_NAME
2.2.2 is unreleased, but you can get it from my development repo at github.com/inspired
I haven't used the app but the general process would be to look at the queries used and change the referenced sourcetype. In an ideal world the queries would use either a macro or eventtype where the sourcetype is defined and then the queries reference the eventtype/macro. If that isn't how this app is built I might suggest creating these structures and put them in place as you update the app so that it works for you.
For example you might have a macro like
Cisco_data
index = foo sourcetype=ciscoios
Queries
`Cisco_data` | stats count by <whatever>
A more extreme approach would be to adjust your inputs to change the name of new data and put in a sourcetype rename for your existing data (props.conf). This would probably upset any existing content using the current name. There isn't a fieldalias equivalent for a sourcetype (that I know of) where you could have 1 sourcetype have 2 sourcetype 'names'
There is exactly an equivalent for sourcetypes - it is called sourcetype renaming: http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Renamesourcetypes
That is what I was referencing in terms of renaming =). I don't think of that as field aliasing in that with a field alias it is quickly apparent to users multiple fields exist. It isn't as apparent there is a different sourcetype that can be leveraged.
You could go through all the configuration files in the app, changing the sourcetype wherever it appears. But that is a pain and prone to error.
I would just create an alias. Go to Settings -> Fields -> Sourcetype renaming. Click "new" and fill in the form.
Note that you have to pick an app for this - you should probably choose the Cisco Networks Add-on. Once you have created the entry, you should set its permissions so that everyone can use it (read permission).