Solved: Can I change the source name of the already indexe...

splunkIT · ‎11-14-2012

We create a UDP Data Input on port 524.
This shows up as 'udp:524' in the Sources list on the main Search page

I then want to rename it a human readable source name like GK2-ExpressCloud so I go to Manager > Data Inputs > UDP > 524 > Source name override: 'GK2-ExpressCloud'

I then expected Splunk to migrate the 6.9 million entries under the Source of 'udp:524' to now be 6.9 million entries under the 'GK2-ExpressCloud' Source.

However the Source name remains the same, 'udp:524', in the main Search window. It seems like my change didn't take affect. However, the new events (after name override was made) are getting the correct source name. So the question is whether there is a way I can change the source name of previously indexed events.

Ayn · ‎11-14-2012

No, you cannot. Source, sourcetype and host (+ a few other internal fields) are set at the time of indexing and cannot be changed afterwards.

View solution in original post

Ayn · ‎11-14-2012

No, you cannot. Source, sourcetype and host (+ a few other internal fields) are set at the time of indexing and cannot be changed afterwards.

Ayn · ‎11-14-2012

No. For whatever it's worth, in my view, most often you shouldn't have to filter on source, but on sourcetype. source is just a specific location where the logs came from. The sourcetype is the more important part, so if you start naming sources in the same manner as sourcetypes, you might regret that later on.

splunkIT · ‎11-14-2012

Thanks Ayn for the info. So is there anyway get around it without having to modifying my search?

Can I change the source name of the already indexed events?

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash