I'm using oneshot to do a one-time import of data:
splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main
However, I am unable to to specify a
source override for the data. I want a custom value instead of the default filepath/filename. I tried this:
splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main -source mysource
But this generate an error
Only one "name" parameter can be specified.
-rename-source like this
splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main -rename-source mysource
This was a known issue (SPL-32358) and was fixed in Splunk 4.2.
Before 4.2, you should be able to override the source by adding a line like this to the beginning of your log file:
Of course this works for
According to VatSplunk, in 4.2, you should be able to use a new parameter called
-rename-source, and therefore this work around shouldn't be necessary. (This should still work in 4.2. That said, I'm not sure if the new
HEADER_MODE props.conf setting will have any impact on this or not.)