Configure a source type alias
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Configure a source type alias
Think of a source type alias as a tag for a value of the sourcetype field. Besides aliasing a source type via Splunk Web, you can configure a source type alias in tags.conf the same way you configure tags for a field (via tags.conf).
In tags.conf you can:
- Add new source type aliases by adding
tag::<sourcetype_value>::<sourcetype_alias>=enabledin the[sourcetype]stanza (there should only be one such stanza in thetags.conffile--if it doesn't already exist you can create it manually). - Enable and disable source type aliases by changing their values to enabled or disabled.
Note: You can only enter one source type alias (or tag) per line in a tags.conf stanza.
The following example shows a sample configuration of source type aliases (tags for values of the sourcetype field). In this example, events from access_common, cups_access, and syslog source types all are aliased as FAIL. The source type alias for syslog is disabled.
[sourcetype] tag::syslog::syslog = disabled tag::access_common::FAIL = enabled tag::cups_access::FAIL = enabled tag::syslog::FAIL = enabled
If you search for sourcetype=FAIL with this configuration, your search will return events from the access_common, cups_access, and syslog source types.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.