Hello,
I have some apache access logs coming in that I'd like to label sourcetype="aem:access"
instead of sourcetype=access_combined
. How do I apply the sourcetype=access_combined
default extractions to sourcetype="aem:access"
?
Thanks!
You could go to props.conf
and copy the settings of access combined to your sourcetype.
Here's the documentation on props.conf
https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Propsconf
From UI:
You will find Sourcetype Renaming option in Settings --> Fields menu path. Select the Destination App and provide the name of current sourcetype, _newname in your case, and the new sourcetype as newname and click Save.
From CLI:
You can use rename field in props.conf and change the source-type.
You'd need to copy the field extractions from access_combined
sourcetype to yoru custom aem:access
sourcetype.
where are those field extractions located on my search head?
This is an in-built sourcetype, so you'd find it in $SPLUNK_HOME/etc/system/default/props.conf. When you're going to create your custom sourcetype, place your props.conf on $SPLUNK_HOME/etc/apps under some app. Do not modify $SPLUNK_HOME/etc/system/default/props.conf.
if I add to $SPLUNK_HOME/etc/system/local/props.conf
will that be global so all apps can use those extractions?
Right, but $SPLUNK_HOME/etc/apps/search/local/props.conf
is probably a better place for global app settings.
Please keep in mind that access_combined
in $SPLUNK_HOME/etc/system/default/props.conf
refers to $SPLUNK_HOME/etc/system/default/transforms.conf
as well.