All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to change the sourcetype in the app from cisco:ios to ciscoios? If not, how would I configure the app to work with our existing sourcetype?

jaywilwk
Engager
‎04-29-2015 08:48 AM
 
0 Karma
Reply

mikaelbje
Motivator
‎04-29-2015 12:17 PM

I would go for sourcetype renaming for a short term solution. Some of the queries in the app reference an eventtype, others search for sourcetype directly. I will correct this in the next version of the app so that you only have to change the eventtype definition. If you are using the built-in transform to transform the sourcetype to cisco:ios from syslog you will also need to change that one place in transforms.conf

0 Karma
Reply

mikaelbje
Motivator
‎04-30-2015 04:45 AM

Version 2.2.2 of the app now only relies on eventtypes. If you'd like to use a different sourcetype you can do the following:

In TA-cisco_ios/local/

Create eventtypes.conf
Add:

[cisco_ios]
search = sourcetype=YOUR_SOURCETYPE_NAME

2.2.2 is unreleased, but you can get it from my development repo at github.com/inspired

0 Karma
Reply

Runals
Motivator
‎04-29-2015 09:14 AM

I haven't used the app but the general process would be to look at the queries used and change the referenced sourcetype. In an ideal world the queries would use either a macro or eventtype where the sourcetype is defined and then the queries reference the eventtype/macro. If that isn't how this app is built I might suggest creating these structures and put them in place as you update the app so that it works for you.

For example you might have a macro like

Cisco_data
index = foo sourcetype=ciscoios

Queries

`Cisco_data` | stats count by <whatever>

A more extreme approach would be to adjust your inputs to change the name of new data and put in a sourcetype rename for your existing data (props.conf). This would probably upset any existing content using the current name. There isn't a fieldalias equivalent for a sourcetype (that I know of) where you could have 1 sourcetype have 2 sourcetype 'names'

0 Karma
Reply

lguinn2
Legend
‎04-29-2015 09:15 AM

There is exactly an equivalent for sourcetypes - it is called sourcetype renaming: http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Renamesourcetypes

0 Karma
Reply

Runals
Motivator
‎04-29-2015 11:57 AM

That is what I was referencing in terms of renaming =). I don't think of that as field aliasing in that with a field alias it is quickly apparent to users multiple fields exist. It isn't as apparent there is a different sourcetype that can be leveraged.

0 Karma
Reply

lguinn2
Legend
‎04-29-2015 09:07 AM

You could go through all the configuration files in the app, changing the sourcetype wherever it appears. But that is a pain and prone to error.

I would just create an alias. Go to Settings -> Fields -> Sourcetype renaming. Click "new" and fill in the form.
Note that you have to pick an app for this - you should probably choose the Cisco Networks Add-on. Once you have created the entry, you should set its permissions so that everyone can use it (read permission).

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...