This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Think of a source type alias as a tag for a value of the sourcetype field. Besides aliasing a source type via Splunk Web, you can configure a source type alias in tags.conf the same way you configure tags for a field (via tags.conf).
In tags.conf you can:
tag::<sourcetype_value>::<sourcetype_alias>=enabled in the [sourcetype] stanza (there should only be one such stanza in the tags.conf file--if it doesn't already exist you can create it manually).
Note: You can only enter one source type alias (or tag) per line in a tags.conf stanza.
The following example shows a sample configuration of source type aliases (tags for values of the sourcetype field). In this example, events from access_common, cups_access, and syslog source types all are aliased as FAIL. The source type alias for syslog is disabled.
[sourcetype] tag::syslog::syslog = disabled tag::access_common::FAIL = enabled tag::cups_access::FAIL = enabled tag::syslog::FAIL = enabled
If you search for sourcetype=FAIL with this configuration, your search will return events from the access_common, cups_access, and syslog source types.