Getting Data In

Can I change the source name of the already indexed events?

splunkIT
Splunk Employee
Splunk Employee

We create a UDP Data Input on port 524.
This shows up as 'udp:524' in the Sources list on the main Search page

I then want to rename it a human readable source name like GK2-ExpressCloud so I go to Manager > Data Inputs > UDP > 524 > Source name override: 'GK2-ExpressCloud'

I then expected Splunk to migrate the 6.9 million entries under the Source of 'udp:524' to now be 6.9 million entries under the 'GK2-ExpressCloud' Source.

However the Source name remains the same, 'udp:524', in the main Search window. It seems like my change didn't take affect. However, the new events (after name override was made) are getting the correct source name. So the question is whether there is a way I can change the source name of previously indexed events.

Tags (2)
0 Karma
1 Solution

Ayn
Legend

No, you cannot. Source, sourcetype and host (+ a few other internal fields) are set at the time of indexing and cannot be changed afterwards.

View solution in original post

Ayn
Legend

No, you cannot. Source, sourcetype and host (+ a few other internal fields) are set at the time of indexing and cannot be changed afterwards.

Ayn
Legend

No. For whatever it's worth, in my view, most often you shouldn't have to filter on source, but on sourcetype. source is just a specific location where the logs came from. The sourcetype is the more important part, so if you start naming sources in the same manner as sourcetypes, you might regret that later on.

0 Karma

splunkIT
Splunk Employee
Splunk Employee

Thanks Ayn for the info. So is there anyway get around it without having to modifying my search?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...