Solved: I want source type separation using prop.conf.

noott211 · ‎12-27-2021

index name = my_index
source name = my_source
sourcetype = my_sourcetpye
host = 192.168.0.10

-----------------------------
The field action is =allow -> my_allow.
Action = deny -> my_deny
other -> my_myontype
I want to change it to this.

help me

isoutamo · ‎12-28-2021

If I understood right your request you could do it with props.conf and transforms.conf (you need both). Look e.g. CLONE_SOURCETYPE for that. If there are lot of those values then it could be hard to manage all those versions.

View solution in original post

isoutamo · ‎12-28-2021

Hi

In splunk concept sourcetype means lexical format of log event/source. Based on that it's not a good practice to name sourcetype by value of field (if I understood right what you are asking?). Instead of sourcetype you should use eventtype to separate those events inside sourcetype.

r. Ismo

noott211 · ‎12-28-2021

I want to separate data whenever it comes in. Can similar effects be achieved using prop.conf or transaction.conf?

isoutamo · ‎12-28-2021

If I understood right your request you could do it with props.conf and transforms.conf (you need both). Look e.g. CLONE_SOURCETYPE for that. If there are lot of those values then it could be hard to manage all those versions.

I want source type separation using prop.conf.

props.conf

sourcetype

transforms.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation