I have an inputs.conf
Now,I want to over write the sourcetype in HF as mentioned in the Splunk docs.
But, my sourcetype is not getting over written, I am getting the same sourcetype as AA in my IDX server. How to correct it
You'd have to use the transforms to update the sourcetype metadata, like this
[source::/tmp/a.txt] SHOUlD_LINEMERGE=false TRANSFORMS-overridest = override_st
[override_st] REGEX = . FORMAT = sourcetype::BB DEST_KEY = MetaData:Sourcetype
This will be your reference Splunk documentation for the same: http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Advancedsourcetypeoverrides
Whichever comes first in data from source. Generally if you're using HF, before index, set this up in HF. A restart of splunkd service would be required and it'd only affect the new events that come after you set this up.