Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Sourcetype renaming not taking

srich
Explorer
‎08-31-2011 11:56 AM

Following the documentation for sourcetype renaming, I still fail to get it working. I have added an entry in Sourcetype renaming and have created a props.conf file in the etc/system/local directory. I have restarted Splunkd and still zip. I'm running the latest version of Splunk. Help!

props.conf:
[Printer]
rename=System-III

[Printer2]
rename=System-III

[Printer3]
rename=System-III

[Printer-too_small]
rename=System-III

Tags (2)
0 Karma
Reply

pgoyal_splunk
Splunk Employee
Splunk Employee
‎01-30-2020 09:25 PM

If you have Splunk Enterprise, you can use the rename attribute in props.conf to assign events to a new source type at search time. In case you ever need to search on it, the original source type is moved to a separate field, _sourcetype.
Do the changes on the search Head.

You can also refer to the below link to rename the sourcetype at search time.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Renamesourcetypes

0 Karma
Reply

ewoo
Splunk Employee
Splunk Employee
‎11-21-2011 06:15 PM

Sourcetype renaming is a search-time operation. The props.conf with the renamed sourcetype should be placed on your search head. You should be able to observe the renamed sourcetype taking effect immediately by running a search; you do not need to index any new data.

0 Karma
Reply

gnovak
Builder
‎11-18-2011 12:53 PM

After i thought this worked, it actually didn't. I have props.conf on all of my main indexers and still i am not seeing the sourcetype renamed. it's still showing up as the old one.

0 Karma
Reply

gnovak
Builder
‎11-18-2011 09:44 AM

Actually one thing i just found out. I put the props.conf on the indexer and it appears to be working. At first I put it on the lightweight forwarder.

0 Karma
Reply

gnovak
Builder
‎11-18-2011 09:34 AM

I am also seeing the same thing. I have put a props.conf file in /etc/system/local directory and it looks almost identical in the format of the one post by srich. After about an hour I still am not seeing all my sourcetypes renamed. How long does this take?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...