Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I change sourcetype but also keep previous sourcetype?

ZacEsa
Communicator
‎08-25-2016 06:53 PM

Hi all,

I realized then Splunk hasn't been correctly auto-setting the sourcetypes for my incoming logs, resulting in lots of sourcetypes.

Now, when I want to do field extractions, I'm unable to do so to multiple logs at once since they have different sourcetypes.

Is it possible for me to set two sourcetypes to a single source so that I can do field extractions for the new sourcetype while keeping the old extractions for the old sourcetype?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ZacEsa
Communicator
‎08-30-2016 07:43 PM

Here's what I did,

I duplicated whatever field extractions I had in my props.conf file. E.g.;

Props.conf before duplication.

[oldsourcetype]
(?P<somefieldextraction>.*?)

Props.conf after duplication.

[oldsourcetype]
(?P<somefieldextraction>.*?)

[newsourcetype]
(?P<somefieldextraction>.*?)

This way, the old indexed data will still have the field extractions and I can search for the fields from both old and new sourcetype.

After doing this, I edited my inputs.conf to include sourcetype = newsourcetype on my monitors so that they use the new sourcetype.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ZacEsa
Communicator
‎08-30-2016 07:43 PM

Here's what I did,

I duplicated whatever field extractions I had in my props.conf file. E.g.;

Props.conf before duplication.

[oldsourcetype]
(?P<somefieldextraction>.*?)

Props.conf after duplication.

[oldsourcetype]
(?P<somefieldextraction>.*?)

[newsourcetype]
(?P<somefieldextraction>.*?)

This way, the old indexed data will still have the field extractions and I can search for the fields from both old and new sourcetype.

After doing this, I edited my inputs.conf to include sourcetype = newsourcetype on my monitors so that they use the new sourcetype.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-25-2016 07:25 PM

That is exactly what rename is for: the new is sourcetype and the old is _sourcetype:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
  sourcetype=<string>
* To search for the original source type without renaming it, use the 
  field _sourcetype.
* Data from a a renamed sourcetype will only use the search-time
  configuration for the target sourcetype. Field extractions
  (REPORTS/EXTRACT) for this stanza sourcetype will be ignored.
* Defaults to empty.
0 Karma
Reply
Solved! Jump to solution

ZacEsa
Communicator
‎08-25-2016 07:58 PM

But if I use rename, I won't be able to do field extractions. Which is the main reason why I want to rename the sourcetypes, as I have same type of logs from multiple sources but, due to Splunk not auto-assigning the sourcetype properly, they are all having different sourcetypes meaning, I'm not able to do field extraction for all sources at once.

0 Karma
Reply
Solved! Jump to solution

ZacEsa
Communicator
‎08-25-2016 08:41 PM

What were to happen if I were to change the sourcetype in inputs.conf?

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top