Hi Experts,
I am looking for best practices on how to conceptually, systematically and with minimum efforts and rework rename sourcetypes already defined in apps on Splunk base.
Idea:
Downloaded add-on from Splunk base/Git hub etc. has a sourcetype name defined in default/props.conf. I want to rename this sourcetype (just the name) so that it has more consistent name in overall Splunk deployment, e.g. vendor:system:component:logtype.
My question is how to do that with minimum work and ideally no changes in original default/props.conf file. I cannot find any way other than to simply create a new sourcetype under local/props.conf and copy all original sourcetype definitions from default/props.conf. For me this does not scale. I am looking for a sourcetype "alias" or something like that.
I know of props.conf "rename" option. It does not fit this scenario.
Any ideas? I am sure big companies must have some approach. Perpahps I am missing something Splunk can help me with in this?
Tomas
I've worked for a few pretty big companies that use Splunk, but I've never seen anyone going through the trouble of changing sourcetypes as used in off-the-shelve add-ons to make them match some naming convention.
Mainly because I don't think there is any other way than actually rewriting the add-on, which - as you already concluded - makes no sense from a maintenance point of view.
What would be the value of renaming sourcetypes in the way you mentioned?