Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Setting sourcetype based on source via .conf file

deepak02
Path Finder
‎03-28-2017 09:58 AM

Hi,

I had an Application Server feeding logs into Splunk. Details as follows,

Source: /abc/logs/System-Perf-managed-vm1.log
Sourcetype: SystemPerf

The Application Server recently changed to a different name, and the sourcetype changed too.

Source: /abc/logs/System-PerfRest-managed-vm5.log
Sourcetype: SystemPerfRest

There seems to be a mapping between the source and the sourcetypes.
I do not have access to the conf files. I would like to know where this mapping will be defined (inputs.conf/props.conf/transforms.conf).

Thanks,
Deepak

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-28-2017 10:26 AM

As Splunk admin, whenever I have to modify a sourcetype, I always also add a sourcetype rename to props.conf so that the old/wrong sourcetype appears (at search time) as the new/correct sourcetype:

https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Data/Renamesourcetypes

Reply

cpetterborg
SplunkTrust
SplunkTrust
‎03-28-2017 10:21 AM

Typically:

inputs.conf lists the files to be indexed (source) and which sourcetype for that source. This would go on the deployment server to be distributed to the universal forwarders.

props.conf usually goes on the indexers (though the cluster master if you are in a clustered environment) and maps the sourcetype (typically) to how the indexers are supposed to parse the file for indexing. It also identifies transforms that can be found in the transforms.conf file.

transforms.conf usually goes along with the props.conf file to define the transforms to the data, which may include the file name (source), the data transforms (actual changes to the data), and other such actions.

So the mapping occurs from the source to the sourcetype typically through the inputs.conf file, though that can be modified through the props.conf and transforms.conf files.

Reply

lguinn2
Legend
‎03-28-2017 10:18 AM

This could be defined in the inputs.conf or (more likely) it could be defined in the props.conf

[source::/abc/logs/System-PerfRest-managed-vm5.log]
sourcetype=abc

However, there might not be any setting for sourcetype in either of these files. By default, when no sourcetype is explicitly supplied and Splunk cannot identify the sourcetype, it automatically assigns a portion of the file name as the sourcetype.
You can override this behavior by putting the above stanza in a props.conf file that is located in the same directory as the inputs.conf file.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...