Documentation > Splunk > Knowledge Manager Manual > Rename source types

Knowledge Manager Manual

 


Welcome
When you first deploy Splunk
Understand events
Work with fields
Work with hosts
Work with source types
Manage event types
Define tags and aliases
Group events into transactions
Manage saved searches and search jobs
Configure summary indexes

Rename source types

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Rename source types

Splunk gives you two ways to expand the range of values that you can use when searching for events with a specific source type.


Configure source type renaming

When you configure a source type in props.conf, you can rename the source type. This method enables you to give multiple source types the same name, which can be useful if you want to group a set of source types together for searching purposes.

Note: This method does not apply to events that have already been indexed. You can rename the source type of indexed events by using tags. See "Rename indexed events with tags", below.

To rename the source type, add the following into your source type stanza in props.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/: 

[<$SOURCETYPE>]
rename = <string>

After renaming, you can search for the source type with:

sourcetype=<string>

For example, if you wanted to rename the access_combined source type to webaccess: 

[access_combined]
rename = webaccess

Then, to search for events with the new source type name:

sourcetype=webaccess

Note: If the source type in question has its indexing properties set in props.conf , you must use the actual stored source type value from sourcetypes.conf.

Renaming a source type doesn't remove its original name. You can search on the source type's original name using the _sourcetype attribute. For example, if you wanted to search for the access_combined source type (after you've renamed it to webaccess), you would use:

_sourcetype=access_combined

Rename indexed events with tags

If you want to rename the source type in indexed events, use tags. Tags enable you to expand the range of values that you can use to search on a source type (or set of source types, since multiple source types can be given the same tag). For more information about tagging, see "About tags and aliases" in this manual.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0/Knowledge/Renamesourcetypes"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!