Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can a sourcetype be aliased, meaning, can it inherit extractions from another sourcetype?

paimonsoror
Builder
‎01-24-2017 10:22 AM

Wasn't able to find a solid answer on this one, but I am using Splunk 6.x, and was wondering if I could have a sourcetype, that essentially "inherits" another sourcetype. For example

[monitor:///var/log/httpd/access.log]
index = app_cp
sourcetype = cp:httpd:access
#souretype = access_combined
ignoreOlderThan = 1d

Ideally I would like the team to be able to leverage a sourcetype called cp:httpd:access so that they only get the access logs that pertain to their particular logs files, but i also want it to inherit the extractions defined by access_combined.

So essentially, can cp:httpd:access inherit from access_combined?

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-24-2017 10:44 AM

Yes; you can rename a sourcetype:

https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Renamesourcetypes

This is a search-time configuration and can have app-scope. Also, within the effected scope, the old/original/REAL sourcetype name can be accessed under the field name _sourcetype.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-24-2017 10:44 AM

Yes; you can rename a sourcetype:

https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Renamesourcetypes

This is a search-time configuration and can have app-scope. Also, within the effected scope, the old/original/REAL sourcetype name can be accessed under the field name _sourcetype.

Reply
Solved! Jump to solution

paimonsoror
Builder
‎01-24-2017 11:14 AM

YOU ROCK!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...