Getting Data In

How do you override "source" on a oneshot?

Ron_Naken
Splunk Employee
Splunk Employee

I'm using oneshot to do a one-time import of data:

splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main

However, I am unable to to specify a source override for the data. I want a custom value instead of the default filepath/filename. I tried this:

splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main -source mysource

But this generate an error

Only one "name" parameter can be specified.
Tags (2)
1 Solution

V_at_Splunk
Splunk Employee
Splunk Employee

Use -rename-source like this

splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main -rename-source mysource

This was a known issue (SPL-32358) and was fixed in Splunk 4.2.

View solution in original post

Lowell
Super Champion

Before 4.2, you should be able to override the source by adding a line like this to the beginning of your log file:

***SPLUNK*** source=mysource

Of course this works for sourcetype, host, and index too.

Lowell
Super Champion

According to V_at_Splunk, in 4.2, you should be able to use a new parameter called -rename-source, and therefore this work around shouldn't be necessary. (This should still work in 4.2. That said, I'm not sure if the new HEADER_MODE props.conf setting will have any impact on this or not.)

0 Karma

dwaddle
SplunkTrust
SplunkTrust

When you say "Before 4.2" is this due to a defect/bug in 4.2, or a change in how Splunk 4.2 works?

0 Karma

V_at_Splunk
Splunk Employee
Splunk Employee

Use -rename-source like this

splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main -rename-source mysource

This was a known issue (SPL-32358) and was fixed in Splunk 4.2.

Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...