product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to change the source type name used when searching
- release date
- 2019-08-29
- last updated
- 2023-11-27
- version
- Splunk Enterprise 9.1.1
- Overview
- Splunk has a feature called "rename" that allows you to change the source type name and make it searchable.
Use this function when you want to search for the target log with a different source type name than when the log was imported, or when you want to search for multiple source types as the same one.
To use this feature, set the parameter "rename" in props.conf.
- Reference information
- content
-
About the "rename" function
In Splunk, it is possible to search for the target log by specifying the source type name used when importing the log.
A feature called "rename" allows you to change the source type name specified when searching for logs.
By using this function, you can perform the following operations.
- Search logs with an alias other than the source type name specified at the time of import
- Treat multiple source types used when searching as the same
Setting Example
<Assumption>
Source type name specified during import: sourcetypeA
Source type name you want to use when searching: sourcetypeB<Setting target file>
of the search head
$SPLUNK_HOME/etc/system/local/props.conf or
$SPLUNK_HOME/etc/apps/<your app>/local/props.conf*$SPLUNK_HOME is the installation directory. The default is as follows:
<Linux>
Splunk Enterprise : /opt/splunk
<Windows>
Splunk Enterprise : C:\Program Files\Splunk
Settings to add
[sourcetypeA]
…existing configuration…
rename = sourcetypeBAfter adding the above settings, the handling of the target source type at the time of search is as follows.
- If you search by specifying sourcetypeB, the logs imported by sourcetypeA will be displayed in the search results.
- If you search by specifying sourcetypeA, logs imported with sourcetypeA will not be displayed in the search results.
In addition, if you use the field "_sourcetype" when searching, it is possible to search for the target log with the source type name before the change.
<Example>
_sourcetype = sourcetypeANotes
The "rename" function is only available when searching. The source type name specified when importing logs cannot be changed.
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30