Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Change sourcetype in index

m0rt1f4g0
Explorer
‎10-30-2023 12:55 PM

Hi.

Currently, I receive my Linux logs in an index called linux_logs and a syslog sourcetype.

I would like to change the syslog sourcetype to the linux_secure sourcetype.

How can I make that change so that the new logs already arrive in the new sourcetype?

My configuration

m0rt1f4g0_0-1698695433667.png

 

Sourcetype syslog

m0rt1f4g0_2-1698695681900.png

Sourcetype linux_secure

m0rt1f4g0_1-1698695659848.png

 

Thanks!

 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-02-2023 05:38 AM

Hi

why you are collecting those logs with syslog and especially with UDP? That way you will always lose some events time by time! Much better way is use UFs on those nodes and use it. Then it's much easier to define which sourcetype which file are.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...