Topics

| pdf version

Getting Started

How Splunk Works

Configuring a Splunk Deployment

Data Inputs

Hosts

Source Types

Timestamp Recognition

Events

Event Types

Meta Events

Fields

Segmentation

Saved Searches and Alerts

Authentication

Granular Access Control

Data Distribution

Distributed Search

Deployment Server

Index Management

Bundles

SplunkBase

Performance Tuning

Routine Maintenance

How-To

Troubleshooting

Reference


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Set a source type for a source

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4

Set a source type for a source

Use these instructions if you need to assign a sourcetype based on a source.


This will only impact new data coming in following your configuration change. If you want to correct the sourcetype displayed in SplunkWeb for data that has already been indexed, you will need to create an alias instead.


via configuration files

Create a stanza for your source in $SPLUNK_HOME/etc/bundles/local/props.conf and set a sourcetype = attribute: 


[source::.../var/log/anaconda.log(.\d+)?]
sourcetype = anaconda

This will set any events from sources containing the string /var/log/anaconda.log followed by any number of numeric characters to sourcetype::anaconda.


Learn more about props.conf.

Retrieved from "http://www.splunk.com/base/Documentation/3.1/Admin/SetASourceTypeForASource"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.