Hi all,
I realized then Splunk hasn't been correctly auto-setting the sourcetypes for my incoming logs, resulting in lots of sourcetypes.
Now, when I want to do field extractions, I'm unable to do so to multiple logs at once since they have different sourcetypes.
Is it possible for me to set two sourcetypes to a single source so that I can do field extractions for the new sourcetype while keeping the old extractions for the old sourcetype?
Here's what I did,
I duplicated whatever field extractions I had in my props.conf file. E.g.;
Props.conf
before duplication.
[oldsourcetype]
(?P<somefieldextraction>.*?)
Props.conf
after duplication.
[oldsourcetype]
(?P<somefieldextraction>.*?)
[newsourcetype]
(?P<somefieldextraction>.*?)
This way, the old indexed data will still have the field extractions and I can search for the fields from both old and new sourcetype.
After doing this, I edited my inputs.conf
to include sourcetype = newsourcetype
on my monitors so that they use the new sourcetype.
Here's what I did,
I duplicated whatever field extractions I had in my props.conf file. E.g.;
Props.conf
before duplication.
[oldsourcetype]
(?P<somefieldextraction>.*?)
Props.conf
after duplication.
[oldsourcetype]
(?P<somefieldextraction>.*?)
[newsourcetype]
(?P<somefieldextraction>.*?)
This way, the old indexed data will still have the field extractions and I can search for the fields from both old and new sourcetype.
After doing this, I edited my inputs.conf
to include sourcetype = newsourcetype
on my monitors so that they use the new sourcetype.
That is exactly what rename
is for: the new is sourcetype
and the old is _sourcetype
:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
sourcetype=<string>
* To search for the original source type without renaming it, use the
field _sourcetype.
* Data from a a renamed sourcetype will only use the search-time
configuration for the target sourcetype. Field extractions
(REPORTS/EXTRACT) for this stanza sourcetype will be ignored.
* Defaults to empty.
But if I use rename, I won't be able to do field extractions. Which is the main reason why I want to rename the sourcetypes, as I have same type of logs from multiple sources but, due to Splunk not auto-assigning the sourcetype properly, they are all having different sourcetypes meaning, I'm not able to do field extraction for all sources at once.
What were to happen if I were to change the sourcetype in inputs.conf?