Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sourcetype renaming not taking

srich
Explorer
‎08-31-2011 11:56 AM

Following the documentation for sourcetype renaming, I still fail to get it working. I have added an entry in Sourcetype renaming and have created a props.conf file in the etc/system/local directory. I have restarted Splunkd and still zip. I'm running the latest version of Splunk. Help!

props.conf:
[Printer]
rename=System-III

[Printer2]
rename=System-III

[Printer3]
rename=System-III

[Printer-too_small]
rename=System-III

Tags (2)
0 Karma
Reply

pgoyal_splunk
Splunk Employee
Splunk Employee
‎01-30-2020 09:25 PM

If you have Splunk Enterprise, you can use the rename attribute in props.conf to assign events to a new source type at search time. In case you ever need to search on it, the original source type is moved to a separate field, _sourcetype.
Do the changes on the search Head.

You can also refer to the below link to rename the sourcetype at search time.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Renamesourcetypes

0 Karma
Reply

ewoo
Splunk Employee
Splunk Employee
‎11-21-2011 06:15 PM

Sourcetype renaming is a search-time operation. The props.conf with the renamed sourcetype should be placed on your search head. You should be able to observe the renamed sourcetype taking effect immediately by running a search; you do not need to index any new data.

0 Karma
Reply

gnovak
Builder
‎11-18-2011 12:53 PM

After i thought this worked, it actually didn't. I have props.conf on all of my main indexers and still i am not seeing the sourcetype renamed. it's still showing up as the old one.

0 Karma
Reply

gnovak
Builder
‎11-18-2011 09:44 AM

Actually one thing i just found out. I put the props.conf on the indexer and it appears to be working. At first I put it on the lightweight forwarder.

0 Karma
Reply

gnovak
Builder
‎11-18-2011 09:34 AM

I am also seeing the same thing. I have put a props.conf file in /etc/system/local directory and it looks almost identical in the format of the one post by srich. After about an hour I still am not seeing all my sourcetypes renamed. How long does this take?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...