Getting Data In

Convert sourcetype

sloshburch
Splunk Employee
Splunk Employee

I've got a file that was previously indexed as sourcetype1 but I want it to be customer_sourcetype2. I thought there was a way in splunk to have splunk, at search time, reassign that search type. Am I wrong?

I thought I could do this with a props.conf entry:

[source::/path/to/file/filename.log]
    sourcetype = customer_sourcetype2

Someone correct my understanding?

Tags (1)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

Perhaps have a look here:

http://docs.splunk.com/Documentation/Splunk/6.0/Data/Renamesourcetypes

This is the closest you are going to get, I'm afraid. sourcetype is one of those things that cannot be truly changed after the data has been indexed.

/K

View solution in original post

kristian_kolb
Ultra Champion

Perhaps have a look here:

http://docs.splunk.com/Documentation/Splunk/6.0/Data/Renamesourcetypes

This is the closest you are going to get, I'm afraid. sourcetype is one of those things that cannot be truly changed after the data has been indexed.

/K

sloshburch
Splunk Employee
Splunk Employee

Thank you!

0 Karma

kristian_kolb
Ultra Champion

yeah, well, no. It's like;

[sourcetype_1]
rename = sourcetype_2

The renaming can only be done on a [sourcetype], not a [source::/path/to/file] or a [host::hostname].

/k

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Yea - looks like that's the case.

rename =
* Renames [] as
* With renaming, you can search for the [] with sourcetype=
* To search for the original source type without renaming it, use the field _sourcetype.
* Data from a a renamed sourcetype will only use the search-time configuration for the target sourcetype.
Field extractions (REPORTS/EXTRAXCT) for this stanza sourcetype will be ignored.
* Defaults to empty.

From: http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Propsconf

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Oh wow thanks! I'm guessing that won't work if I can only specify the source. There are other sources with the same sourcetype1 which I don't want to change sourcetypes for.

[source::/path/to/file/filename.log]
rename = customer_sourcetype2

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Just found that as well...

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...