Getting Data In

Sourcetype Aliases

mgherman
Explorer

According to the documentation for Splunk version 3.x there is the ability to alias a sourcetype, however it does not appear to exist under version 4.x.

I find myself in the position where I have many applications all logging via log4j and would like to be able to filter my searches on application type.

I was hoping to be able to setup the forwarders via the CLI, adding the monitor statements with an explicit -sourcetype.

The only other option I can see is to setup TAGs on each of the source statements based on filename (Can tags be managed automatically for certain sources, perhaps based on a regex?)

Any suggestions or clarifications would be greatly appreciated.

Regards,

mgh

P.S. In case it was not immediately obvious, yes I am very new to splunk.

Tags (2)
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I don't think this is what you want to do, though the specific answer to how to alias a sourcetype is given later. It seems to me that you simply want to specify a sourcetype for a set of input files. Normally, you can simply specify one when you create the input, either in the Manager GUI, or with sourcetype = mysourcetype in inputs.conf, or with a sourcetype stanza based on source in props.conf.

If you were using a Splunk forwarder that would be it. If not, you may have to use a TRANSFORM stanza to modify/set the sourcetype at index time, much as with host names: http://www.splunk.com/base/Documentation/latest/Admin/Overridedefaulthostassignments

You can rename sourcetypes in 4.x. props.conf.spec says:

rename = <string>
* Renames <sourcetype> as <string>
* With renaming, you can search for the sourcetype with sourcetype=<string>
* To search for the original sourcetype without renaming, use the field _sourcetype

therefore, for example:

[myoldsourcetype]
rename = mynewsourcetype
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...