Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to fix conflicting Sourcetypes

JoeSco27
Communicator
‎08-27-2013 06:51 AM

My Splunk instance had a sourcetype called Netstat (csv format), when I downloaded the *Nix App (which also has a Netstat sourcetype) all the data was reformatted based on the NIX Netstat sourcetype format. I changed the .conf files so that the original Netstat sourcetype is now called Orig-Netstat and now the new data is being parsed correctly again. Is it possible to get the historical data that I used to have in netstat before I downloaded *NIX back into my format?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-27-2013 07:33 AM

It is not possible to change the sourcetype of an event already indexed.
There is a way to create a sourcetype alias, but it will not solve all your problem.

Is the data badly parsed :

  • at index time (line breaking, timestamp recognition)
  • or a search time (field extraction...).

For the second one, you could try to change the permissions on the netstat sourcetype field extractions in the unix app to be local to the app (therefore it will not apply in the other apps you have, etc...)

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...