Retiring an app, how do I combine sourcetypes with...

tkwaller · ‎06-04-2015

Hello

I have two apps apache_forwarder and apache_unified_forwarder. I am getting ready to retire the apache_unified_forwarder app but there are a few issues in inputs.conf that need to be resolved first.

I need to combine the sourcetypes. How would I combine this stanza without breaking sourcetyping or duplicating data:

[monitor:///var/log/httpd/ssl_access_log]
disabled = false
sourcetype = s_apache
index = apache_access_logs
recursive=false
whitelist = /ssl_access_log$
followSymlink = false

into

[monitor:///var/log/httpd/access_log]
disabled = false
followTail = 0
sourcetype = access_combined
index = apache_access_logs
recursive=false
followSymlink = false
whitelist=access_log$
blacklist=ssl

[monitor:///var/log/httpd/error_log]
disabled = false
followTail = 0
sourcetype = apache_error
index = apache_access_logs
recursive=false
followSymlink = false

[monitor:///var/log/httpd/ssl_access_log]
disabled = false
followTail = 0
sourcetype = apache_combined
index = apache_access_logs
recursive=false
followSymlink = false
whitelist=ssl_access_log$

[monitor:///var/log/httpd/mod_jk.log]
disabled = false
followTail = 0
sourcetype = mod_jk
index = mod_jk
recursive=false
followSymlink = false

woodcock · ‎06-04-2015

I am sure you can figure something out using sourcetype renaming which allows you to see both the original as field _sourcetype and the renamed one as field sourcetype:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Renamesourcetypes

tkwaller · ‎06-04-2015

Yes I found that, the problem is that any savedsearch/dashboard/alert that uses sourcetype=whatever will have to be found and changed.

Thanks for the link, much appreciated.

Retiring an app, how do I combine sourcetypes without breaking sourcetyping or duplicating data?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases