Solved: Rename sourcetype for only one app

christopherutz · ‎08-12-2010

We are standardizing some sourcetype names and had the idea to provide a "compatibility" app in which users could run searches on the old sourcetypes if needed. To implement this we setup a rename stanza for our sourcetype in the props.conf file for our compatibility app as suggested in this thread http://answers.splunk.com/questions/4940/sourcetype-aliasing.

[new_sourcetype_name]
rename=old_sourcetype_name

It seems that even though the rename is specified within an app it is applied globally. Searches run in the default search app (or other apps we have created) require the use of the renamed sourcetype.

The hope is that searches in all other apps could be performed on sourcetype=new_sourcetype_name but users could search for sourcetype=old_sourcetype_name via the compatibility app.

Chris

ziegfried · ‎08-12-2010

Haven't done it before, but try putting the following in the metadata/local.meta in your app directory:

[props]
export = none

View solution in original post

ziegfried · ‎08-12-2010

Haven't done it before, but try putting the following in the metadata/local.meta in your app directory:

[props]
export = none

Lowell · ‎08-13-2010

I think you could further refine this so that you are only blocking the sourcetype rename by changing [props] to [props/new_sourcetype_name/rename], just FYI. This would be helpful if you need other props.conf settings but simply wanted to block the rename itself.

christopherutz · ‎08-12-2010

This appears to be the solution. Things are functioning as desired now. Thank you very much!

Rename sourcetype for only one app

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Rename sourcetype for only one app

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR