Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I change sourcetype but also keep previ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I realized then Splunk hasn't been correctly auto-setting the sourcetypes for my incoming logs, resulting in lots of sourcetypes.
Now, when I want to do field extractions, I'm unable to do so to multiple logs at once since they have different sourcetypes.
Is it possible for me to set two sourcetypes to a single source so that I can do field extractions for the new sourcetype while keeping the old extractions for the old sourcetype?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's what I did,
I duplicated whatever field extractions I had in my props.conf file. E.g.;
Props.conf before duplication.
[oldsourcetype]
(?P<somefieldextraction>.*?)
Props.conf after duplication.
[oldsourcetype]
(?P<somefieldextraction>.*?)
[newsourcetype]
(?P<somefieldextraction>.*?)
This way, the old indexed data will still have the field extractions and I can search for the fields from both old and new sourcetype.
After doing this, I edited my inputs.conf to include sourcetype = newsourcetype on my monitors so that they use the new sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's what I did,
I duplicated whatever field extractions I had in my props.conf file. E.g.;
Props.conf before duplication.
[oldsourcetype]
(?P<somefieldextraction>.*?)
Props.conf after duplication.
[oldsourcetype]
(?P<somefieldextraction>.*?)
[newsourcetype]
(?P<somefieldextraction>.*?)
This way, the old indexed data will still have the field extractions and I can search for the fields from both old and new sourcetype.
After doing this, I edited my inputs.conf to include sourcetype = newsourcetype on my monitors so that they use the new sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is exactly what rename is for: the new is sourcetype and the old is _sourcetype:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
sourcetype=<string>
* To search for the original source type without renaming it, use the
field _sourcetype.
* Data from a a renamed sourcetype will only use the search-time
configuration for the target sourcetype. Field extractions
(REPORTS/EXTRACT) for this stanza sourcetype will be ignored.
* Defaults to empty.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But if I use rename, I won't be able to do field extractions. Which is the main reason why I want to rename the sourcetypes, as I have same type of logs from multiple sources but, due to Splunk not auto-assigning the sourcetype properly, they are all having different sourcetypes meaning, I'm not able to do field extraction for all sources at once.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What were to happen if I were to change the sourcetype in inputs.conf?
Building Reliable Asset and Identity Frameworks in Splunk ES
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
Automatic Discovery Part 3: Practical Use Cases
