All Apps and Add-ons

Is it possible to change the sourcetype in the app from cisco:ios to ciscoios? If not, how would I configure the app to work with our existing sourcetype?

jaywilwk
Engager
0 Karma

mikaelbje
Motivator

I would go for sourcetype renaming for a short term solution. Some of the queries in the app reference an eventtype, others search for sourcetype directly. I will correct this in the next version of the app so that you only have to change the eventtype definition. If you are using the built-in transform to transform the sourcetype to cisco:ios from syslog you will also need to change that one place in transforms.conf

0 Karma

mikaelbje
Motivator

Version 2.2.2 of the app now only relies on eventtypes. If you'd like to use a different sourcetype you can do the following:

In TA-cisco_ios/local/

Create eventtypes.conf
Add:

[cisco_ios]
search = sourcetype=YOUR_SOURCETYPE_NAME

2.2.2 is unreleased, but you can get it from my development repo at github.com/inspired

0 Karma

Runals
Motivator

I haven't used the app but the general process would be to look at the queries used and change the referenced sourcetype. In an ideal world the queries would use either a macro or eventtype where the sourcetype is defined and then the queries reference the eventtype/macro. If that isn't how this app is built I might suggest creating these structures and put them in place as you update the app so that it works for you.

For example you might have a macro like

Cisco_data
index = foo sourcetype=ciscoios

Queries

`Cisco_data` | stats count by <whatever>

A more extreme approach would be to adjust your inputs to change the name of new data and put in a sourcetype rename for your existing data (props.conf). This would probably upset any existing content using the current name. There isn't a fieldalias equivalent for a sourcetype (that I know of) where you could have 1 sourcetype have 2 sourcetype 'names'

0 Karma

lguinn2
Legend

There is exactly an equivalent for sourcetypes - it is called sourcetype renaming: http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Renamesourcetypes

0 Karma

Runals
Motivator

That is what I was referencing in terms of renaming =). I don't think of that as field aliasing in that with a field alias it is quickly apparent to users multiple fields exist. It isn't as apparent there is a different sourcetype that can be leveraged.

0 Karma

lguinn2
Legend

You could go through all the configuration files in the app, changing the sourcetype wherever it appears. But that is a pain and prone to error.

I would just create an alias. Go to Settings -> Fields -> Sourcetype renaming. Click "new" and fill in the form.
Note that you have to pick an app for this - you should probably choose the Cisco Networks Add-on. Once you have created the entry, you should set its permissions so that everyone can use it (read permission).

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...