Documentation > Splunk > Admin Manual > Set source type for a source

Admin Manual

 


How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

Set source type for a source

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Set source type for a source

Use these instructions to assign a source type based on a source.


Note: This only impacts new data coming in following your configuration change. If you want to correct the source type displayed in Splunk Web for data that has already been indexed, create an alias instead.


via configuration files

Add a stanza for your source in $SPLUNK_HOME/etc/bundles/local/props.conf and set a sourcetype = attribute: 


[source::.../var/log/anaconda.log(.\d+)?]
sourcetype = anaconda

This sets any events from sources containing the string /var/log/anaconda.log followed by any number of numeric characters to sourcetype=anaconda.


Learn more about props.conf.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.2.6/Admin/SetSourceTypeForASource"

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.