Getting Data In

How to rename the sourcetype name after data has been indexed?

john_q
Explorer

Hi,

I created an index for one log file in Splunk indexer with sourcetype = _json, but I would like to see the sourcetype name as custom name like json_events instead of _json in Splunk Web. I already tried with rename and it's working fine, but the problem is in feature these kind of sourcetypes (new logs files) will come, then rename applies for all the _json sourcetypes. So, how can we fix it?

0 Karma

katanguriabhi
Explorer

John,did you find a solution for this??

0 Karma

gjanders
SplunkTrust
SplunkTrust

While you cannot change your indexed data you can Rename source types at search time . However it might be better to fix the source data for future events rather than use renaming...

0 Karma

christiang
New Member

Hi there, you can try to override the sourcetype from a particular source, like this.

[source::/...<your_sourcetype>]
sourcetype = my_custom_sourcetype

Hope it helps.

0 Karma

koshyk
Super Champion

"sourcetype" is an index time field. You cannot change once the data is indexed.
Hence for
- Already indexed data the only option is to reindex the data with correct sourcetype
- For new data, you can assign the correct sourcetype in inputs.conf or props.conf/transforms.conf ,so all future events will be correctly sourcetyped

0 Karma

miteshp250283
Path Finder

You will find Sourcetype Renaming option in Settings --> Fields menu path. Select the Destination App and provide the name of current sourcetype, _json in your case, and the new sourcetype as json and click Save.

Hope this helps.

Regards, Mitesh.

john_q
Explorer

Hi Mitesh,
thanks for your answer,thats ok.but in my case if in feature same log data(sourcetype) will come into that same destination app then splunk will rename it with this custom name right??

0 Karma

miteshp250283
Path Finder

Internally, Splunk would store new set of data with _json st, however, the search time interesting fields will list it as json in your case.

0 Karma

john_q
Explorer

yes,but i would like to give another new custom name for upcoming _json sourcetype in the same destination app. is it possible??

0 Karma

miteshp250283
Path Finder

In that case, you need to redefine your inputs.conf to point to corrected props.conf with json st.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...