Splunk Search

Calling different sourcetype stanza's in search-time field extraction defined in props.conf

yuwtennis
Communicator

Hi!

I would like to get help if following configuration is possible or not.

I already have 1000 of events as sourcetype A in index A.
However , I want to use different stanza in props.conf for different purpose
perhaps as sourcetype B overriding sourcetype A.

Is such thing possible?
Any help is appreciated!

Thanks,
Yu

Tags (2)
0 Karma

woodcock
Esteemed Legend

You can override the entire sourcetype or a subset of the events in the sourcetype. You can also rename the entire sourcetype or a subset of the events in the sourcetype. This is all well-documented:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Advancedsourcetypeoverrides

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...