Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Renaming Sourcestypes feature - wildcards?

gnovak
Builder
‎10-18-2010 03:57 PM

Hello fellow splunkers,

I have a quick question regarding the sourcetype renaming feature found in Manager/Fields/Sourcetype Renaming.

Can you use wildcards with this feature? For instance:

For sourcetypes that are named web_server.log-3, web_server.log-6, web_server.log-10, etc, we would want to rename all of these that end in a trailing number to just WEB. So could we put:

Old sourcetype name: web_server.log*

New Sourcetype name: WEB

I was going to give this a shot using the sourcetype renaming page on the splunk gui. Thoughts?

Tags (2)
Reply

sowings
Splunk Employee
Splunk Employee
‎08-02-2013 07:06 AM

I would argue that what you'd really want to do is lock down the sourcetype of your data, rather than letting Splunk try to figure it out. Most of the time, sending data into Splunk, it will do a decent job of figuring out the shape of your data. If you've got standard log types such as IIS or syslog or Apache access logs, or something like that, Splunk can draw upon its internal library to make sense of your data.

However, as you expand and start indexing larger volumes of data, you'll want to make some efficiency tweaks to tell Splunk how to index the data rather than letting it guess. The proliferation of these numbered sourcetypes is because each time Splunk is looking at your file, it detects a slightly different shape, and so it keeps incrementing that number. I've seen "csv-63" as a sourcetype name.

This is where your expertise as the administrator comes in handy. You know that your IIS logs are writing their output in a certain format, and even the field order. You can provide a sourcetype parameter in your inputs.conf definition to brand the indexed data with that sourcetype. Then, if you need to write your own field extractions, you'll be doing so for just one sourcetype, rather than trying to rename them all to match the "generic" type.

0 Karma
Reply

hulahoop
Splunk Employee
Splunk Employee
‎10-18-2010 04:59 PM

Unfortunately wildcards are currently not supported in sourcetype renaming. Please file an enhancement request with the Splunk Support team to "vote" up this feature.

Reply

mikefife
New Member
‎08-01-2013 08:37 AM

I could really do with this as a feature too!

0 Karma
Reply

sloshburch
Ultra Champion
‎07-26-2013 11:19 AM

Anyone know if this made it into splunk?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...