Rename source types at search time
You might encounter situations where you want to rename a source type. For example, say you accidentally assigned an input to the wrong source type. Or you realize that two differently named source types actually need to be handled the same way at search time.
If you use Splunk Enterprise, you can add the rename
setting in the props.conf configuration file to assign events to a new source type at search time. If you need to search on it, Splunk Enterprise moves the original source type to a separate field, called _sourcetype
.
On Splunk Cloud Platform, you must open a support ticket to rename source types, as the props.conf file is not available for editing on a Splunk Cloud Platform instance and using a heavy forwarder is not possible as renaming source types is only applicable on data that you have already indexed.
The indexed events still contain the original source type name. The renaming of source types occurs only at search time. Also, renaming the source type does only that. It doesn't fix problems with the indexed format of your event data that were caused by assigning the wrong source type in the first place.
To rename the source type, add the rename
setting to your source type stanza in the props.conf file:
rename = <string>
Source type names do not support the following characters: <
, >
, ?
, #
, and &
For example, say you're using the source type cheese_shop
for your application server. Then you accidentally index a bunch of data as source type whoops
. You can rename whoops
to cheese_shop
with the following stanza in the props.conf file:
[whoops] rename=cheese_shop
Now, a search on cheese_shop
returns all the whoops
events as well as any events that had the cheese_shop
source type:
sourcetype=cheese_shop
If you ever need to single out the whoops
events, you can use _sourcetype
in your search:
_sourcetype=whoops
Data from a renamed source type uses only the search-time configuration for the target source type, in this example it is cheese_shop
. The Splunk platform ignores any field extractions for the original source type.
Manage source types | About event segmentation |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0, 8.1.10, 8.1.12, 8.1.14, 8.1.2
Feedback submitted, thanks!