I'm trying to rename a sourcetype, by why isn't my...

a212830 · ‎04-27-2015

Hi,

I want to rename a sourcetype, but the following isn't working:

[log4j]
KV_MODE = auto
ANNOTATE_PUNCT = false
TRANSFORMS-changesourcetype = set_fc_catalina_out

[set_fc_catalina_out]
FORMAT = sourcetype::fc_catalina_out
DEST_KEY = MetaData:Sourcetype

Am I missing something?

NOUMSSI · ‎04-27-2015

# with [<sourcetype>]:
rename = <string>
* Renames [<sourcetype>] as <string>
* With renaming, you can search for the [<sourcetype>] with
sourcetype=<string>
* To search for the original source type without renaming it, use the  field _sourcetype.
* Data from a a renamed sourcetype will only use the search-time configuration for the target
sourcetype. Field extractions (REPORTS/EXTRACT) for this stanza sourcetype will be ignored.
* Defaults to empty.

esix_splunk · ‎04-27-2015

It depends where in the process you are trying to rename this source type. Are you trying to rename this at the search layer or index layer?

What you are doing will rename the source type at parsing / index time.

If you are trying to do this to data that has already been indexed, you simply need to rename the data source:

[log4j]
rename = fc_catalina_out

esix_splunk · ‎04-28-2015

Post your configurations.

a212830 · ‎04-27-2015

Doing it at the indexer layer, but it's not working. Would the indexers need to be restarted?

esix_splunk · ‎04-27-2015

Once you change a props / transforms, the indexers do need to be restarted.

a212830 · ‎04-28-2015

Tried all this - still no change.

I'm trying to rename a sourcetype, by why isn't my configuration working?

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor

.conf23 Registration is Now Open!