Can you treat overrided sourcetypes savely as normal sourcetypes?

0	I have a single source and my main config is based on overided sourcetypes. So is it save to build all configs (FIELDALIAS, LOOKUP, REPORTS) under this overrided sourcetypes? sourcetype asked 18 Apr '11, 07:44 Starlette 463●2●3●29 accept rate: 9% edited 18 Apr '11, 07:46

One Answer:

oldest newest most voted

FIELDALIAS, LOOKUP, and REPORT are all search time configurations which are perfectly acceptable to run on a sourcetype which is set via TRANSFORMS or sourcetype= property on a particular source.

link

answered 18 Apr '11, 09:06

hazekamp
2.2k●2●18
accept rate: 38%

But note that of course non-search-time configs (TRANSFORM, TZ, etc, see http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F for a non-exhaustive list) won't work with those, and note that if you use the "rename" directive to override a sourcetype, no settings (including search search-time) can be applied.

(18 Apr '11, 10:31) gkanapathy ♦

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

sourcetype ×256

Asked: 18 Apr '11, 07:44

Seen: 603 times

Last updated: 18 Apr '11, 10:31

Can you treat overrided sourcetypes savely as normal sourcetypes?

Follow this question

Splunk Resources

Related questions