I have a few things in my summary in the search app that I'd like to change.
Some of my source names are long or obscure, and I'd like to make them more user friendly.
Ex: WinEventLog:ForwardedEvents
Renamed: "DC Security Logs"
etc....
Is this possible?
You can specify the source at the input level if the name is confusing for your users, but the summary page is based on metadata and can't easily be manipulated. The best, and easiest way is just specifying a source at the input level that is more user friendly. Also, if you're wondering about changing the data that's already been indexed, that isn't possible.
http://docs.splunk.com/Documentation/Splunk/5.0.2/admin/Inputsconf
source = <string>
* Sets the source key/field for events from this input.
* NOTE: Overriding the source key is generally not recommended. Typically, the
input layer will provide a more accurate string to aid in problem
analysis and investigation, accurately recording the file from which the data
was retreived. Please consider use of source types, tagging, and search
wildcards before overriding this value.
* Detail: Sets the source key's initial value. The key is used during
parsing/indexing, in particular to set the source field during
indexing. It is also the source field used at search time.
* As a convenience, the chosen string is prepended with 'source::'.
* WARNING: Do not quote the <string> value: source=foo, not source="foo".
* Defaults to the input file path.
Ahhhhhh, alright. I inputted the local "ForwardedEvents" log (I'm using Event Collections to filter logs) and it just shows as "WinEventLog:ForwardedEvents" with no naming options. That sucks. Oh well!
Thanks!
You can specify the source at the input level if the name is confusing for your users, but the summary page is based on metadata and can't easily be manipulated. The best, and easiest way is just specifying a source at the input level that is more user friendly. Also, if you're wondering about changing the data that's already been indexed, that isn't possible.
http://docs.splunk.com/Documentation/Splunk/5.0.2/admin/Inputsconf
source = <string>
* Sets the source key/field for events from this input.
* NOTE: Overriding the source key is generally not recommended. Typically, the
input layer will provide a more accurate string to aid in problem
analysis and investigation, accurately recording the file from which the data
was retreived. Please consider use of source types, tagging, and search
wildcards before overriding this value.
* Detail: Sets the source key's initial value. The key is used during
parsing/indexing, in particular to set the source field during
indexing. It is also the source field used at search time.
* As a convenience, the chosen string is prepended with 'source::'.
* WARNING: Do not quote the <string> value: source=foo, not source="foo".
* Defaults to the input file path.