Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sourcetype Aliases

mgherman
Explorer
‎08-09-2010 11:32 PM

According to the documentation for Splunk version 3.x there is the ability to alias a sourcetype, however it does not appear to exist under version 4.x.

I find myself in the position where I have many applications all logging via log4j and would like to be able to filter my searches on application type.

I was hoping to be able to setup the forwarders via the CLI, adding the monitor statements with an explicit -sourcetype.

The only other option I can see is to setup TAGs on each of the source statements based on filename (Can tags be managed automatically for certain sources, perhaps based on a regex?)

Any suggestions or clarifications would be greatly appreciated.

Regards,

mgh

P.S. In case it was not immediately obvious, yes I am very new to splunk.

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-10-2010 06:59 AM

I don't think this is what you want to do, though the specific answer to how to alias a sourcetype is given later. It seems to me that you simply want to specify a sourcetype for a set of input files. Normally, you can simply specify one when you create the input, either in the Manager GUI, or with sourcetype = mysourcetype in inputs.conf, or with a sourcetype stanza based on source in props.conf.

If you were using a Splunk forwarder that would be it. If not, you may have to use a TRANSFORM stanza to modify/set the sourcetype at index time, much as with host names: http://www.splunk.com/base/Documentation/latest/Admin/Overridedefaulthostassignments

You can rename sourcetypes in 4.x. props.conf.spec says:

rename = <string>
* Renames <sourcetype> as <string>
* With renaming, you can search for the sourcetype with sourcetype=<string>
* To search for the original sourcetype without renaming, use the field _sourcetype

therefore, for example:

[myoldsourcetype]
rename = mynewsourcetype
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!