Hi,
Is there a way to create / clone a new sourcetype say my_csv or my_log4j from the default sourcetype csv, log4j?
Thanks!
Not from the GUI no, but you can find the [log4j] stanza in $SPLUNK_HOME/etc/system/default/props.conf
and just copy it to $SPLUNK_HOME/etc/system/local/props.conf
. Then you just edit the stanza header [log4j]
to [my_log4j]
in the new location.
Beware if there are any settings happening in transforms.conf
(like REPORT
or TRANSFORMS
directives in props.conf
) that you may also want to edit (if you want them to behave differently than for the original [log4j]
).
Hope this helps,
Kristian
Not from the GUI no, but you can find the [log4j] stanza in $SPLUNK_HOME/etc/system/default/props.conf
and just copy it to $SPLUNK_HOME/etc/system/local/props.conf
. Then you just edit the stanza header [log4j]
to [my_log4j]
in the new location.
Beware if there are any settings happening in transforms.conf
(like REPORT
or TRANSFORMS
directives in props.conf
) that you may also want to edit (if you want them to behave differently than for the original [log4j]
).
Hope this helps,
Kristian
Yes. Take a look at DELIMS and FIELDS directives for transforms.conf. They should be put in a transforms.conf stanza which is called from props.conf through a REPORT-directive.
I believe you should use DELIMS = ";"
, with
FIELDS = field1, field2
etc.
I found the csv stanza ni default.prop.conf
[csv]
SHOULD_LINEMERGE = False
pulldown_type = true
CHECK_FOR_HEADER = true
KV_MODE = none
Assuming I want to change the standard delimiter from comma , to semi-colon ; based on this csv stanza, is it feasible?
Thank you!