Refine your search:

Sourcetype aliasing

0

We are upgrading from splunk 3 to 4. We previously had sourcetypes with "-" in them. It looks like these aren't supported?

That's not my real question. We want both the new and old sourcetypes to work. Can we alias them? I see some stuff about tagging/renaming so you can access the orignal with "_sourcetype=xxx", but we want them both to just work.

asked 22 Jul '10, 15:31

mmattek's gravatar image

mmattek
45111
accept rate: 11%

2 Answers:
oldestnewestmost voted
1

I don't think there is anything you can to do make this "just work" for all your existing searches since you want both names available.

Here are a few options:

1.) Use a massive find and replace process that replaces all occurrences of "sourcetype=name" with "(sourcetype=name OR sourcetype=name") in your savedsearches.conf and eventtypes.conf.

2.) Use sourcetype "tags". In 4.x you can actually "tag" your sourcetypes, which you couldn't do in earlier version because the tagging a sourcetype in those versions was hijacked for the rename-like behavior. So now that you can straight up tag sourcetypes, you can get the functionality you are looking for that way.

You still have to do some kind of massive find and replace thing, using "tag::sourcetype=name" rather than "sourcetype=name".

3.) Put the effort into consolidating your sourcetypes and fixing everything on a one-by-one basis. I know you would like to avoid this, but it may make your sourcetypes more consistent long term. (Also keep in mind that with the rename feature, you can rename your souretypes per application by making that "rename" entry in props.conf only available to a single app. This may or may not be a good idea, but it's an option.)

Those are just some thoughts, it's hard to say what approach is easier or better long term without seeing the bigger picture of your existing setup. Just wanted to throw another idea out there.

link

answered 22 Jul '10, 18:59

Lowell's gravatar image

Lowell ♦
11.1k91289
accept rate: 41%

1

Yes. You can use the rename command in props.conf:

[sourcetype]
rename = <string>
* Renames <sourcetype> as <string>
* With renaming, you can search for the sourcetype with sourcetype=<string>

If you rename the old to the same name as the new sourcetype, that should do what you want.

link

answered 22 Jul '10, 16:07

gkanapathy's gravatar image

gkanapathy ♦
32.4k4827
accept rate: 41%

we tried that, but we want BOTH the old and new sourcetype to work (you can actually get the old sourcetype to work with _sourcetype, but we want current saved searches/code to not have to change)

(22 Jul '10, 16:16) mmattek
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×250

Asked: 22 Jul '10, 15:31

Seen: 1,267 times

Last updated: 22 Jul '10, 18:59

Related questions

Rename sourcetype for only one app

Field aliasing using host tags

Forcing source or sourcetype just isn't working!

Limit search results to a sourcetype

Need to customize log4j sourcetype

Sourcetypes Definition with lea_opsec

Some events are merged when overiding multiple sourcetypes from single source

cannot find sourcetype squid

Union / Intersect results from different source type

Copyright © 2005-2012 Splunk Inc. All rights reserved.