I have an inputs.conf
[monitor:///tmp/a.txt]
index=a
sourcetype=AA
Now,I want to over write the sourcetype in HF as mentioned in the Splunk docs.
props.conf
[source::/tmp/a.txt]
SHOUlD_LINEMERGE=false
sourcetype=BB
But, my sourcetype is not getting over written, I am getting the same sourcetype as AA in my IDX server. How to correct it
You'd have to use the transforms to update the sourcetype metadata, like this
props.conf
[source::/tmp/a.txt]
SHOUlD_LINEMERGE=false
TRANSFORMS-overridest = override_st
transforms.conf
[override_st]
REGEX = .
FORMAT = sourcetype::BB
DEST_KEY = MetaData:Sourcetype
This will be your reference Splunk documentation for the same: http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Advancedsourcetypeoverrides
Do I have to make it HF ? or IDX ? ...
Whichever comes first in data from source. Generally if you're using HF, before index, set this up in HF. A restart of splunkd service would be required and it'd only affect the new events that come after you set this up.
If I have UF---HF---IDX then ?
Still in HF (first Splunk Enterprise instance in the flow, after UF first Splunk Enterprise instance is HF, so HF).
No , it is not working .
sourcetype is not getting renamed in HF. But If I do in IDX it is working ..