Getting Data In

Can a sourcetype be aliased, meaning, can it inherit extractions from another sourcetype?

Builder

Wasn't able to find a solid answer on this one, but I am using Splunk 6.x, and was wondering if I could have a sourcetype, that essentially "inherits" another sourcetype. For example

[monitor:///var/log/httpd/access.log]
index = app_cp
sourcetype = cp:httpd:access
#souretype = access_combined
ignoreOlderThan = 1d

Ideally I would like the team to be able to leverage a sourcetype called cp:httpd:access so that they only get the access logs that pertain to their particular logs files, but i also want it to inherit the extractions defined by access_combined.

So essentially, can cp:httpd:access inherit from access_combined?

0 Karma
1 Solution

Esteemed Legend

Yes; you can rename a sourcetype:

https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Renamesourcetypes

This is a search-time configuration and can have app-scope. Also, within the effected scope, the old/original/REAL sourcetype name can be accessed under the field name _sourcetype.

View solution in original post

Esteemed Legend

Yes; you can rename a sourcetype:

https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Renamesourcetypes

This is a search-time configuration and can have app-scope. Also, within the effected scope, the old/original/REAL sourcetype name can be accessed under the field name _sourcetype.

View solution in original post

Builder

YOU ROCK!!

0 Karma