I created an index for one log file in Splunk indexer with sourcetype = json, but I would like to see the sourcetype name as custom name like jsonevents instead of _json in Splunk Web. I already tried with rename and it's working fine, but the problem is in feature these kind of sourcetypes (new logs files) will come, then rename applies for all the _json sourcetypes. So, how can we fix it?
You will find
Sourcetype Renaming option in
Settings --> Fields menu path. Select the
Destination App and provide the name of current sourcetype,
_json in your case, and the new sourcetype as
json and click Save.
Hope this helps.
thanks for your answer,thats ok.but in my case if in feature same log data(sourcetype) will come into that same destination app then splunk will rename it with this custom name right??
Internally, Splunk would store new set of data with
_json st, however, the search time interesting fields will list it as
json in your case.
yes,but i would like to give another new custom name for upcoming _json sourcetype in the same destination app. is it possible??
"sourcetype" is an index time field. You cannot change once the data is indexed.
- Already indexed data the only option is to reindex the data with correct sourcetype
- For new data, you can assign the correct sourcetype in inputs.conf or props.conf/transforms.conf ,so all future events will be correctly sourcetyped
Hi there, you can try to override the sourcetype from a particular source, like this.
[source::/...<your_sourcetype>] sourcetype = my_custom_sourcetype
Hope it helps.