All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is sourcetype alias a thing?

DaClyde
Contributor
‎02-08-2019 10:48 AM

As my program isn't great at planning for the future, or doing anything involving industry standards, we are indexing our Liferay Tomcat logs in Splunk, but had not used the typical "access_combined" sourcetype: we just called it "liferay" and we extracted all the fields using more of an IIS theme (so 'cs_uri_stem' instead of 'uri', etc.). We built several rudimentary web stats dashboards for the various sites we are hosting in Liferay.

However, in a recent effort to get the Splunk App for Web Analytics working, I used the sourcetype rename and renamed our "liferay" sourcetype to "access_combined" and re-extracted all of the fields using the more common standard field names the App was expecting. So now, the Splunk App for Web Analytics works great, but all of my previously built custom web stats dashboards are broken because the old sourcetype (and associated field extractions) is no longer recognized.

Is there a way to have a single sourcetype respond to two different names, like a field alias? Or do I have to go and do a bunch of find & replace work and change all my old dashboards?

0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎03-21-2019 07:07 AM

It might be possible to use the sourcetype rename in the app context of Splunk App for Web Analytics only. This way all your old dashboard would still use the original sourcetype.

j

0 Karma
Reply

ddrillic
Ultra Champion
‎02-08-2019 11:39 AM

I don't think there is a sourcetype alias but maybe wildcards in sourcetypes can help - Is it possible to use wildcards in sourcetype props.conf stanzas

0 Karma
Reply

kmower
Communicator
‎04-02-2019 10:20 PM

So you actually got it working with IIS logs? I have had a heck of a time trying to get it to work with my IIS logs, so it sounds like doing what you are doing and mapping to the Apache access_combined must be the only way to go. I am left wondering why they list 'iis' as a supported source type for Web Analytics. Is it that Splunk hasn't looked at IIS since it moved to W3SVC logs by default? I wish we could get more information on this because I would really like to get Web Analytics to work.

0 Karma
Reply

DaClyde
Contributor
‎04-12-2019 09:05 AM

Well, no. While we do use IIS, it is in support of an automated data movement software, so it isn't really web site navigation traffic, just uploads and downloads. We built custom dashboards for handling all of that.

However, I did get the Web Analytics working with the field aliases for my tomcat logs, at least within the limitations of our logging. I did ultimately end up updating all of my existing custom web stats pages to use the field aliases, as the aliases seemed to completely take over the field naming, instead of both field names being available.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...