Getting Data In

How to change sourcetype name?

lsmkelvin
New Member

When i execute a schedule report (summary index) on Splunk, the sourcetype name will be default as "stash".
How can i change the sourcetype name from "stash" to my own specific name?

Here is my search string:
index=idx_wls_access_log_raw splunk_server=local | eval uri_type=case(cs_uri_stem=="/lbHealthMon/index.jsp", "lbhealthmon", 1=1, "application") | bucket _time span=15m | stats count(cs_uri_stem) as "count", sum(time_taken) as "processing_time_total", avg(time_taken) as "processing_time_avg", max(time_taken) as "processing_time_max", exactperc99.99(time_taken) as "processing_time_99.99%-tile" ................... count(eval(sc_status>=400 AND sc_status<=499)) as "response_code_4xx", count(eval(sc_status>=500 AND sc_status<=599)) as "response_code_5xx" by _time uri_type managed_server domain | eval starttime = _time | eval endtime = _time + 900 | eval _time = now()

Thanks
Best regards

Tags (2)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Not sure if you can change the sourcetype for summary indexing. But to access the data inside the summary indexing, you can use "source" field on the data, which is equal to your schedule search name.

0 Karma

lsmkelvin
New Member

Thanks for you reply, i will try it later.
Thanks ^^

0 Karma

somesoni2
SplunkTrust
SplunkTrust

As I mentioned earlier, there is no option to change the source type for scheduled reports with summary indexing enabled. If you want to change the sourcetype to your own custom name because of accurate accessibility, use "source=scheduledReportName" in your search instead of sourcetype=stash

0 Karma

lsmkelvin
New Member

When i create a schedule report in "Searches and Reports", it allows me to choose the index, however, i cannot choose the sourcetype. After saved the schedule report, the sourcetype will be defined as "stash". I just wonder where can i set the sourcetype name when i create the report in splunk.

Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...