Rename source types at search time
You might encounter situations where you want to rename a source type. For example, say you accidentally assigned an input to the wrong source type. Or you realize that two differently named source types actually need to be handled the same way at search time.
If you use Splunk Enterprise, you can add the rename setting in the props.conf configuration file to assign events to a new source type at search time. If you need to search on it, Splunk Enterprise moves the original source type to a separate field, called _sourcetype.
On Splunk Cloud Platform, you must open a support ticket to rename source types, as the props.conf file is not available for editing on a Splunk Cloud Platform instance and using a heavy forwarder is not possible as renaming source types is only applicable on data that you have already indexed.
The indexed events still contain the original source type name. The renaming of source types occurs only at search time. Also, renaming the source type does only that. It doesn't fix problems with the indexed format of your event data that were caused by assigning the wrong source type in the first place.
To rename the source type, add the rename setting to your source type stanza in the props.conf file:
rename = <string>
Source type names do not support the following characters: <, >, ?, #, and &
For example, say you're using the source type cheese_shop for your application server. Then you accidentally index a bunch of data as source type whoops. You can rename whoops to cheese_shop with the following stanza in the props.conf file:
[whoops] rename=cheese_shop
Now, a search on cheese_shop returns all the whoops events as well as any events that had the cheese_shop source type:
sourcetype=cheese_shop
If you ever need to single out the whoops events, you can use _sourcetype in your search:
_sourcetype=whoops
Data from a renamed source type uses only the search-time configuration for the target source type, which, in this example, is cheese_shop. The Splunk platform ignores any field extractions for the original source type.
| Manage source types | About event segmentation |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!