Getting Data In

Sourcetype Aliases


According to the documentation for Splunk version 3.x there is the ability to alias a sourcetype, however it does not appear to exist under version 4.x.

I find myself in the position where I have many applications all logging via log4j and would like to be able to filter my searches on application type.

I was hoping to be able to setup the forwarders via the CLI, adding the monitor statements with an explicit -sourcetype.

The only other option I can see is to setup TAGs on each of the source statements based on filename (Can tags be managed automatically for certain sources, perhaps based on a regex?)

Any suggestions or clarifications would be greatly appreciated.



P.S. In case it was not immediately obvious, yes I am very new to splunk.

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

I don't think this is what you want to do, though the specific answer to how to alias a sourcetype is given later. It seems to me that you simply want to specify a sourcetype for a set of input files. Normally, you can simply specify one when you create the input, either in the Manager GUI, or with sourcetype = mysourcetype in inputs.conf, or with a sourcetype stanza based on source in props.conf.

If you were using a Splunk forwarder that would be it. If not, you may have to use a TRANSFORM stanza to modify/set the sourcetype at index time, much as with host names:

You can rename sourcetypes in 4.x. props.conf.spec says:

rename = <string>
* Renames <sourcetype> as <string>
* With renaming, you can search for the sourcetype with sourcetype=<string>
* To search for the original sourcetype without renaming, use the field _sourcetype

therefore, for example:

rename = mynewsourcetype
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...