Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I unable to rename sourcetypes with my current attempts?

juraj
Explorer
‎06-06-2016 11:45 PM

Hello everyone,

I see that this question has been posted many times, but none of the suggested fixes appear to work for me.
I have several data sources indexed with a wrong sourcetype.
E.g. my sourcetypes are log.1, log.2, log.3 ... and I'd like to rename them to "log" at search time.

I put in the props.conf on the search head the following:

[log*]
rename = log

but it doesn't seem to work after running the | extract reload=t.
I have also tried [log...] which should accomplish the same thing, or the somewhat arcane looking [(?:::){0}log*], but none of these appear to work.

Am I doing something obviously wrong here? I'm not touching transforms.conf, but per docs, I shouldn't really need to, and the simple two lines in props.conf on the search head should work.

Many thanks!

J.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-07-2016 09:29 AM

Like this in props.conf (it works, I tested it):

[(?:::){0}log*]
rename = log
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...