According to the documentation for Splunk version 3.x there is the ability to alias a sourcetype, however it does not appear to exist under version 4.x.
I find myself in the position where I have many applications all logging via log4j and would like to be able to filter my searches on application type.
I was hoping to be able to setup the forwarders via the CLI, adding the monitor statements with an explicit -sourcetype.
The only other option I can see is to setup TAGs on each of the source statements based on filename (Can tags be managed automatically for certain sources, perhaps based on a regex?)
Any suggestions or clarifications would be greatly appreciated.
Regards,
mgh
P.S. In case it was not immediately obvious, yes I am very new to splunk.
I don't think this is what you want to do, though the specific answer to how to alias a sourcetype is given later. It seems to me that you simply want to specify a sourcetype for a set of input files. Normally, you can simply specify one when you create the input, either in the Manager GUI, or with sourcetype = mysourcetype
in inputs.conf, or with a sourcetype stanza based on source in props.conf.
If you were using a Splunk forwarder that would be it. If not, you may have to use a TRANSFORM stanza to modify/set the sourcetype at index time, much as with host names: http://www.splunk.com/base/Documentation/latest/Admin/Overridedefaulthostassignments
You can rename sourcetypes in 4.x. props.conf.spec
says:
rename = <string>
* Renames <sourcetype> as <string>
* With renaming, you can search for the sourcetype with sourcetype=<string>
* To search for the original sourcetype without renaming, use the field _sourcetype
therefore, for example:
[myoldsourcetype]
rename = mynewsourcetype