Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Renaming Sourcestypes feature - wildcards?

gnovak
Builder
‎10-18-2010 03:57 PM

Hello fellow splunkers,

I have a quick question regarding the sourcetype renaming feature found in Manager/Fields/Sourcetype Renaming.

Can you use wildcards with this feature? For instance:

For sourcetypes that are named web_server.log-3, web_server.log-6, web_server.log-10, etc, we would want to rename all of these that end in a trailing number to just WEB. So could we put:

Old sourcetype name: web_server.log*

New Sourcetype name: WEB

I was going to give this a shot using the sourcetype renaming page on the splunk gui. Thoughts?

Tags (2)
Reply

sowings
Splunk Employee
Splunk Employee
‎08-02-2013 07:06 AM

I would argue that what you'd really want to do is lock down the sourcetype of your data, rather than letting Splunk try to figure it out. Most of the time, sending data into Splunk, it will do a decent job of figuring out the shape of your data. If you've got standard log types such as IIS or syslog or Apache access logs, or something like that, Splunk can draw upon its internal library to make sense of your data.

However, as you expand and start indexing larger volumes of data, you'll want to make some efficiency tweaks to tell Splunk how to index the data rather than letting it guess. The proliferation of these numbered sourcetypes is because each time Splunk is looking at your file, it detects a slightly different shape, and so it keeps incrementing that number. I've seen "csv-63" as a sourcetype name.

This is where your expertise as the administrator comes in handy. You know that your IIS logs are writing their output in a certain format, and even the field order. You can provide a sourcetype parameter in your inputs.conf definition to brand the indexed data with that sourcetype. Then, if you need to write your own field extractions, you'll be doing so for just one sourcetype, rather than trying to rename them all to match the "generic" type.

0 Karma
Reply

hulahoop
Splunk Employee
Splunk Employee
‎10-18-2010 04:59 PM

Unfortunately wildcards are currently not supported in sourcetype renaming. Please file an enhancement request with the Splunk Support team to "vote" up this feature.

Reply

mikefife
New Member
‎08-01-2013 08:37 AM

I could really do with this as a feature too!

0 Karma
Reply

sloshburch
Ultra Champion
‎07-26-2013 11:19 AM

Anyone know if this made it into splunk?

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...