Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do change sourcetype

sureshmani04
New Member
‎07-13-2025 11:20 AM

I am looking for change the source type for this apps Splunk Add-on for Microsoft Security

Labels (2)
Labels
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-15-2025 02:17 AM

Hi @sureshmani04 

hope you got the solution.. if so, could you pls mark the question as solved, so it will be moved from unanswered to solved. thanks. karma / upvotes are always welcomed, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2025 02:32 AM

What is the problem you are trying to solve? Not the immediate technical "problem" - how to change sourcetype - but the business one. Why do you want to do that?

Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-14-2025 01:01 AM
Could you describe what is your issue which you are trying to solve? Not the action how you are solving it!
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-13-2025 07:45 PM

Hi @sureshmani04 

1) do you want to change the sourcetype of the already indexed data 

or 

2) new data that is yet to be onboarded 

 

for the case 1, the answer is no. once the data is ingested, we can not alter / modify anything to the indexed data. 

for the case 2, you can refer the previous reply. pls note that, most of the times you need not change/modify the sourcetype of an app/add-on, unless you have some specific requirements, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

marnall
Motivator
‎07-13-2025 12:00 PM

When changing the sourcetype, please note that any knowledge objects (field extractions, calculated fields, etc) in the app that apply to the previous sourcetype will then no longer apply, unless you then modify them to apply to the new sourcetype.

It is likely possible to configure the app using the webUI to make the /local/inputs.conf stanzas, which could then be edited to use a different sourcetype. 

Another option would be to use transforms to change the sourcetype:

You can put these config files in the local directory of the app (E.g. /opt/splunk/etc/apps/Splunk_TA_MS_Security/local) in the heavy forwarder where you installed the app, or append their contents to existing files of the same name in the local directory.

props.conf

# e.g. if you want to change ms365:defender:incident to "ms:new:sourcetype:value". Add more stanzas for each sourcetype to change.
[ms365:defender:incident]
TRANSFORMS-ChangeSourceType = ChangeSourceType

 

transforms.conf

[ChangeSourceType]
#custom regex can be set here to apply to matching events
REGEX = .*
FORMAT = sourcetype::"ms:new:sourcetype:value"

 

Ref:
https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...