Getting Data In

How do you override "source" on a oneshot?

Ron_Naken
Splunk Employee
Splunk Employee

I'm using oneshot to do a one-time import of data:

splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main

However, I am unable to to specify a source override for the data. I want a custom value instead of the default filepath/filename. I tried this:

splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main -source mysource

But this generate an error

Only one "name" parameter can be specified.
Tags (2)
1 Solution

V_at_Splunk
Splunk Employee
Splunk Employee

Use -rename-source like this

splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main -rename-source mysource

This was a known issue (SPL-32358) and was fixed in Splunk 4.2.

View solution in original post

Lowell
Super Champion

Before 4.2, you should be able to override the source by adding a line like this to the beginning of your log file:

***SPLUNK*** source=mysource

Of course this works for sourcetype, host, and index too.

Lowell
Super Champion

According to V_at_Splunk, in 4.2, you should be able to use a new parameter called -rename-source, and therefore this work around shouldn't be necessary. (This should still work in 4.2. That said, I'm not sure if the new HEADER_MODE props.conf setting will have any impact on this or not.)

0 Karma

dwaddle
SplunkTrust
SplunkTrust

When you say "Before 4.2" is this due to a defect/bug in 4.2, or a change in how Splunk 4.2 works?

0 Karma

V_at_Splunk
Splunk Employee
Splunk Employee

Use -rename-source like this

splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main -rename-source mysource

This was a known issue (SPL-32358) and was fixed in Splunk 4.2.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...