Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Rename source types

You might want to rename a source type in certain situations. For example, say you accidentally assigned an input to the wrong source type. Or you realize that two differently named source types should be handled exactly the same at search time.

You can use the rename attribute in props.conf to assign events to a new source type at search time. In case you ever need to search on it, the original source type is moved to a separate field, _sourcetype.

Note: The indexed events still contain the original source type name. The renaming occurs only at search time. Also, renaming the source type does only that; it will not fix any problems with the indexed format of your event data caused by assigning the wrong source type in the first place.

To rename the source type, add the rename attribute to your source type stanza:

rename = <string>

For example, say you're using the source type "cheese_shop" for your application server. Then, accidentally, you index a pile of data as source type "whoops". You can rename "whoops" to "cheese_shop" with this props.conf stanza:


Now, a search on "cheese_shop" will bring up all the "whoops" events as well as any events that had a "cheese_shop" source type from the start:


If you ever need to single out the "whoops" events, you can use _sourcetype in your search:


Important: Data from a renamed source type will only use the search-time configuration for the target source type ("cheese_shop" in this example). Any field extractions for the original source type ("whoops" in the example) will be ignored.

Create source types
About segmentation

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Not currently supported. See http://splunk-base.splunk.com/answers/8047/renaming-sourcestypes-feature-wildcards

October 27, 2011

Wildcards allowed in specifying the original sourcetype name? i.e. logfile-* instead of logfile-hostname.domain.tld <br />?

June 15, 2011

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters