Solved: Change the syslog sourcetype

KarunK · ‎01-23-2012

Hi,

I need to change the source-type "syslog" to "abc_syslog". My understanding is we cannot change the source-type once the log is indexing.

Any suggestions please ?

input.conf file at the forwader is given below. I tried to add the sourcetype at the forwarder as "abc_syslog" in the input.conf file (below), but the splunk even stopped indexing.

[monitor:///var/adm/messages]
host = ssapp0813
index = abc_syslog

Brian_Osburn · ‎01-23-2012

Judging by the example given, you changed the index, not the sourcetype.

If you're wanting to change all the sourcetypes from the source /var/adm/messages, you can do the following:

On the indexer, add the following to $SPLUNK_HOME/etc/system/local/props.conf

[source::/var/adm/messages]

sourcetype=abc_syslog

Brian

View solution in original post

Brian_Osburn · ‎01-23-2012

Judging by the example given, you changed the index, not the sourcetype.

If you're wanting to change all the sourcetypes from the source /var/adm/messages, you can do the following:

On the indexer, add the following to $SPLUNK_HOME/etc/system/local/props.conf

[source::/var/adm/messages]

sourcetype=abc_syslog

Brian

KarunK · ‎01-23-2012

Yep it worked.. Thanks for that...

Change the syslog sourcetype

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!