Create an alias for a source type
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Create an alias for a source type
Use these instructions if you are trying to create an alias for one of Splunk's automatically assigned sourcetype:: names. Source type aliases make it easier for users to search and navigate SplunkWeb.
Aliasing doesn't actually change the sourcetype: value that is stored in Splunk's index, so source type aliases can't be used to set custom indexing properties or extracted field rules. If you're trying to ensure that custom properties or fields apply to events, you'll need to set sourcetype for an input, set sourcetype for a source, or train Splunk on a sourcetype.
via SplunkWeb
By clicking on the drop down arrow next to any source type in SplunkWeb's search results, you can create a source type alias:
Simply enter the new source type alias in the pop-up window:
Please note: If you're not seeing sourcetype under your results you may have hidden the sourcetype field via the fields menu or you may have show fields unchecked in your preferences.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.