Solved: How to know sourcetype defined - Splunk Community

Splunk Enterprise

I have some logs coming into splunk and there are parsing correctly without any issues

Index= xxx sourcetype=splunk-logs

But now the logs time zone changed now i have to update the time zone in props.conf

So where can I find this existing sourcetype=splunk-logs in splunk

1 Solution

Solution

Use btool

splunk btool --debug props list splunk-logs

It will display all of the props for the sourcetype along with the file name in which the prop is defined.

Remember, never change $SPLUNK_HOME/etc/system/default/props.conf and change $SPLUNK_HOME/etc/apps/*/default/props.conf only if it's your app. Otherwise, put the change in local/props.conf.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Solution

Use btool

splunk btool --debug props list splunk-logs

It will display all of the props for the sourcetype along with the file name in which the prop is defined.

Remember, never change $SPLUNK_HOME/etc/system/default/props.conf and change $SPLUNK_HOME/etc/apps/*/default/props.conf only if it's your app. Otherwise, put the change in local/props.conf.

---
If this reply helps you, Karma would be appreciated.

Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...