Solved: How do you override "source" on a oneshot?

Ron_Naken · ‎08-10-2010

I'm using oneshot to do a one-time import of data:

splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main

However, I am unable to to specify a source override for the data. I want a custom value instead of the default filepath/filename. I tried this:

splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main -source mysource

But this generate an error

Only one "name" parameter can be specified.

V_at_Splunk · ‎08-10-2010

Use -rename-source like this

splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main -rename-source mysource

This was a known issue (SPL-32358) and was fixed in Splunk 4.2.

View solution in original post

Lowell · ‎08-13-2010

Before 4.2, you should be able to override the source by adding a line like this to the beginning of your log file:

***SPLUNK*** source=mysource

Of course this works for sourcetype, host, and index too.

Lowell · ‎08-03-2011

According to V_at_Splunk, in 4.2, you should be able to use a new parameter called -rename-source, and therefore this work around shouldn't be necessary. (This should still work in 4.2. That said, I'm not sure if the new HEADER_MODE props.conf setting will have any impact on this or not.)

dwaddle · ‎07-22-2011

When you say "Before 4.2" is this due to a defect/bug in 4.2, or a change in how Splunk 4.2 works?

V_at_Splunk · ‎08-10-2010

Use -rename-source like this

splunk add oneshot $(pwd)/mydata -sourcetype mytype -index main -rename-source mysource

This was a known issue (SPL-32358) and was fixed in Splunk 4.2.

How do you override "source" on a oneshot?

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2