This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Use these instructions to assign a source type based on a source via props.conf. Edit props.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.
Note: This only impacts new data coming in following your configuration change. If you want to correct the source type displayed in Splunk Web for data that has already been indexed, create an alias instead.
Add a stanza for your source in $SPLUNK_HOME/etc/system/local/props.conf and set a sourcetype = attribute:
[source::.../var/log/anaconda.log(.\d+)?] sourcetype = anaconda
This sets any events from sources containing the string /var/log/anaconda.log followed by any number of numeric characters to sourcetype=anaconda.
Splunk recommends that your stanza source path regexes (such as [source::.../web/....log]) be as specific as possible and it is HIGHLY recommended that the regex does not end in "...". For example, don't do this:
[source::/home/fflanda/...] sourcetype = mytype
This is dangerous, because as in this example, gzip files in /home/fflanda will be processed as mytype files rather than gzip files.
It would be much better to write:
[source::/home/fflanda/....log(.\d+)?] sourcetype = mytype
Learn more about props.conf.