Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Source Names

simonattardGO
Path Finder
‎06-19-2012 04:20 AM

Hi,

We have a Splunk system set up. When we log into splunk and go to the search dashboard, all the sources appear with the IP and port eg: 10.12.34.56:1001
We would like to be able to see a more descriptive representation of the url, rather than the IP e.g. Application Server 1

We know this can be achieved by setting the source = "Application Server 1" in inputs.conf. However, when we do so, all the logs which are already indexed do not appear under Application Server 1 but they remain under 10.12.34.56:1001.

Is there a way how to change the source of the logs which are already received?

Thanks

Simon

Tags (1)
0 Karma
Reply

Ayn
Legend
‎06-19-2012 04:30 AM

No, "source" is an indexed field that cannot be changed once it's set.

You could possibly create lookup files that map input sources to more descriptive names, and then look at the field(s) created by the lookup. That could apply to all results, not just newly indexed ones.

Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...