http://www.splunk.com/support/forum:SplunkGeneral/4051 Mon, 13 Feb 2012 12:07:16 PST Mon, 13 Feb 2012 12:07:16 PST en-us http://creativecommons.org/licenses/by-nc-nd/2.5/ http://www.splunk.com/support/forum:SplunkGeneral/4051/14488 <p>Had similar experience. I initially set the sourcetype to automatic for my inputs. The data was then indexed and I ended up with sourcetype iis-2, iis-3.</p> <p>So I then modified the inputs.conf file to manually set the sourcetype to iis. But my indexed data remained with iis-2 and iis-3.</p> <p>According to the manual, changing sourcetype affects new data coming in after the config change, and not the indexed data.</p> <p>So i then modified props.conf to rename the sourcetype for the already indexed data.</p> <p>[iis-2]<br /> rename = iis</p> <p>Below is where I found it in the documentation:</p> <p>Override automatic source type:<br /> <a href="http://www.splunk.com/base/Documentation/latest/Admin/Bypassautomaticsourcetypeassignment">http://www.splunk.com/base/Documentation/latest/Admin/Bypassautomaticsourcetypeassignment</a></p> <p>Renaming Source type:<br /> <a href="http://www.splunk.com/base/Documentation/latest/Admin/Renamesourcetypes">http://www.splunk.com/base/Documentation/latest/Admin/Renamesourcetypes</a></p> Fri, 10 Sep 2010 08:52:57 PDT choneycutt http://www.splunk.com/support/forum:SplunkGeneral/4051/14488 http://www.splunk.com/support/forum:SplunkGeneral/4051/13992 <p>Seeing the same issue here. Any way to change the sourcetype of existing data?</p> Tue, 06 Apr 2010 10:55:55 PDT danieljimenez http://www.splunk.com/support/forum:SplunkGeneral/4051/13992 http://www.splunk.com/support/forum:SplunkGeneral/4051/13679 <p>I've got the same problem. Even specifying the sourcetype in inputs.conf doesn't have an effect. As it is I'm working on using the &quot;rename = iis&quot; key/value pair in my props.conf to manually rename the sourcetype, but it would sure be nice if this worked out of the box.</p> Tue, 16 Mar 2010 13:54:11 PDT bnwri http://www.splunk.com/support/forum:SplunkGeneral/4051/13679 http://www.splunk.com/support/forum:SplunkGeneral/4051/13339 <p>I do have it in inputs.conf:</p> <p>[monitor://\\iis_server\<a class="wiki_url_new" href="/base/LogFiles">LogFiles</a>\<a class="wiki_url_new" href="/base/W3SVC1">W3SVC1</a>]<br /> disabled = 0<br /> host = iis_server<br /> sourcetype = IIS</p> <p>And it worked fine until 4.0.9.</p> Thu, 25 Feb 2010 13:27:59 PST msallman http://www.splunk.com/support/forum:SplunkGeneral/4051/13339 http://www.splunk.com/support/forum:SplunkGeneral/4051/13298 <p>Agree, there are some opportunities for improvement with the automatic sourcetyper. The best practice is to manually set the sourcetype in inputs.conf whenever possible.</p> Wed, 24 Feb 2010 09:38:05 PST araitz http://www.splunk.com/support/forum:SplunkGeneral/4051/13298 http://www.splunk.com/support/forum:SplunkGeneral/4051/13288 <p>Since upgrading to 4.0.9, Splunk seems to have decided that I need an IIS-2 sourcetype (created in /etc/apps/learned/local/props.conf as best I can tell).<br /> Is there a way to get rid of this? I tried deleting the stanza from props.conf (and an apparently associated one in transforms.conf), but Splunk keeps re-creating it/them.<br /> I already have an IIS sourcetype, so when Splunk decides to use IIS-2 instead, it messes up my searches/reports.</p> <p>Thanks</p> Wed, 24 Feb 2010 06:14:41 PST msallman http://www.splunk.com/support/forum:SplunkGeneral/4051/13288