Splunk Search

How do I change sourcetype but also keep previous sourcetype?

ZacEsa
Communicator

Hi all,

I realized then Splunk hasn't been correctly auto-setting the sourcetypes for my incoming logs, resulting in lots of sourcetypes.

Now, when I want to do field extractions, I'm unable to do so to multiple logs at once since they have different sourcetypes.

Is it possible for me to set two sourcetypes to a single source so that I can do field extractions for the new sourcetype while keeping the old extractions for the old sourcetype?

0 Karma
1 Solution

ZacEsa
Communicator

Here's what I did,

I duplicated whatever field extractions I had in my props.conf file. E.g.;

Props.conf before duplication.

[oldsourcetype]
(?P<somefieldextraction>.*?)

Props.conf after duplication.

[oldsourcetype]
(?P<somefieldextraction>.*?)

[newsourcetype]
(?P<somefieldextraction>.*?)

This way, the old indexed data will still have the field extractions and I can search for the fields from both old and new sourcetype.

After doing this, I edited my inputs.conf to include sourcetype = newsourcetype on my monitors so that they use the new sourcetype.

View solution in original post

0 Karma

ZacEsa
Communicator

Here's what I did,

I duplicated whatever field extractions I had in my props.conf file. E.g.;

Props.conf before duplication.

[oldsourcetype]
(?P<somefieldextraction>.*?)

Props.conf after duplication.

[oldsourcetype]
(?P<somefieldextraction>.*?)

[newsourcetype]
(?P<somefieldextraction>.*?)

This way, the old indexed data will still have the field extractions and I can search for the fields from both old and new sourcetype.

After doing this, I edited my inputs.conf to include sourcetype = newsourcetype on my monitors so that they use the new sourcetype.

0 Karma

woodcock
Esteemed Legend

That is exactly what rename is for: the new is sourcetype and the old is _sourcetype:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
  sourcetype=<string>
* To search for the original source type without renaming it, use the 
  field _sourcetype.
* Data from a a renamed sourcetype will only use the search-time
  configuration for the target sourcetype. Field extractions
  (REPORTS/EXTRACT) for this stanza sourcetype will be ignored.
* Defaults to empty.
0 Karma

ZacEsa
Communicator

But if I use rename, I won't be able to do field extractions. Which is the main reason why I want to rename the sourcetypes, as I have same type of logs from multiple sources but, due to Splunk not auto-assigning the sourcetype properly, they are all having different sourcetypes meaning, I'm not able to do field extraction for all sources at once.

0 Karma

ZacEsa
Communicator

What were to happen if I were to change the sourcetype in inputs.conf?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...