All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

overriding a sourcetype

jtatar
New Member
‎05-05-2011 08:12 AM

I am trying to find where sourcetypes are defined. I am trying to locate where the sourctype=snort is defined. I can't find it in data inputs or tags. I want to override the definition the sourcetype snort as host="snort" source=udp:514 and don't want to break the configuration for the existing 514 udp data input.

The documentation just doesn't convey the information needed to locate and make the change.

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎05-05-2011 09:51 AM

I may be a bit confused as to what you are attempting to do with your configuration. Are you saying that you want to have a the hostname set to a particular static value, or that you want to override the sourcetype setting?

I looked at the SnortforSplunk app, and it appears to use the rename function in props.conf to overwrite the sourcetype:

[snort_alert_fast]
rename = snort

Presumably you could simply put a props.conf file in $SPLUNK_HOME/etc/apps/SplunkForSnort/local with

[snort_alert_fast]
rename = yoursourcetype

Some detailed information on sourcetypes is available here, including information on overwriting:

sourcetypes can be defined in the inputs.conf file by using

sourcetype = sourcetypename

sourcetype = <string>
* Sets the sourcetype key/field for events from this input.
* Primarily used to explicitly declare the source type for this data, as opposed
  to allowing it to be determined via automated methods.  This is typically
  important both for searchability and for applying the relevant configuration for this
  type of data during parsing and indexing.
* Detail: Sets the sourcetype key's initial value. The key is used during
  parsing/indexing, in particular to set the source type field during
  indexing. It is also the source type field used at search time.
* As a convenience, the chosen string is prepended with 'sourcetype::'.
* If unset, Splunk picks a source type based on various aspects of the data.
  There is no hard-coded default.

http://www.splunk.com/base/Documentation/latest/admin/Inputsconf

sourcetype can also be defined in props.conf: 

#******************************************************************************
# Sourcetype configuration
#******************************************************************************

sourcetype = <string>
* Can only be set for a [source::...] stanza.
* Anything from that <source> is assigned the specified source type.
* Defaults to empty.

There is a lot more information on this here:

http://www.splunk.com/base/Documentation/latest/admin/Propsconf

It is also possible to rewrite the sourcetype using a transform in transforms.conf:

http://www.splunk.com/base/Documentation/latest/admin/Transformsconf

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...