Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sourcetype renaming not taking

srich
Explorer
‎08-31-2011 11:56 AM

Following the documentation for sourcetype renaming, I still fail to get it working. I have added an entry in Sourcetype renaming and have created a props.conf file in the etc/system/local directory. I have restarted Splunkd and still zip. I'm running the latest version of Splunk. Help!

props.conf:
[Printer]
rename=System-III

[Printer2]
rename=System-III

[Printer3]
rename=System-III

[Printer-too_small]
rename=System-III

Tags (2)
0 Karma
Reply

pgoyal_splunk
Splunk Employee
Splunk Employee
‎01-30-2020 09:25 PM

If you have Splunk Enterprise, you can use the rename attribute in props.conf to assign events to a new source type at search time. In case you ever need to search on it, the original source type is moved to a separate field, _sourcetype.
Do the changes on the search Head.

You can also refer to the below link to rename the sourcetype at search time.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Renamesourcetypes

0 Karma
Reply

ewoo
Splunk Employee
Splunk Employee
‎11-21-2011 06:15 PM

Sourcetype renaming is a search-time operation. The props.conf with the renamed sourcetype should be placed on your search head. You should be able to observe the renamed sourcetype taking effect immediately by running a search; you do not need to index any new data.

0 Karma
Reply

gnovak
Builder
‎11-18-2011 12:53 PM

After i thought this worked, it actually didn't. I have props.conf on all of my main indexers and still i am not seeing the sourcetype renamed. it's still showing up as the old one.

0 Karma
Reply

gnovak
Builder
‎11-18-2011 09:44 AM

Actually one thing i just found out. I put the props.conf on the indexer and it appears to be working. At first I put it on the lightweight forwarder.

0 Karma
Reply

gnovak
Builder
‎11-18-2011 09:34 AM

I am also seeing the same thing. I have put a props.conf file in /etc/system/local directory and it looks almost identical in the format of the one post by srich. After about an hour I still am not seeing all my sourcetypes renamed. How long does this take?

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...