Solved: Search based on a source type overwritten on a per...

kagrze · ‎07-24-2013

I've implemented per-event source types assignment as described here: http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Advancedsourcetypeoverrides Basically it works. For events matching a REGEX source type is overwritten. Unfortunately when I use this source type in a search query no events are returned. Is it because override is done on a search-time instead of an index-time? Is it possible to solve this?

kagrze · ‎07-24-2013

OK, I've solved it. I made a mistake. Instead of FORMAT = sourcetype::<your_custom_sourcetype_value> I wrote FORMAT = <your_custom_sourcetype_value> (I forgot about sourcetype::). It was hard to spot because Splunk was correctly overwriting sourcetype field in search results.

View solution in original post

kagrze · ‎07-24-2013

OK, I've solved it. I made a mistake. Instead of FORMAT = sourcetype::<your_custom_sourcetype_value> I wrote FORMAT = <your_custom_sourcetype_value> (I forgot about sourcetype::). It was hard to spot because Splunk was correctly overwriting sourcetype field in search results.

bmacias84 · ‎07-24-2013

It would help if you posted the stanzas in your .conf related to this.

Search based on a source type overwritten on a per-event basis not returning any events

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk