As my program isn't great at planning for the future, or doing anything involving industry standards, we are indexing our Liferay Tomcat logs in Splunk, but had not used the typical "access_combined" sourcetype: we just called it "liferay" and we extracted all the fields using more of an IIS theme (so 'cs_uri_stem' instead of 'uri', etc.). We built several rudimentary web stats dashboards for the various sites we are hosting in Liferay.
However, in a recent effort to get the Splunk App for Web Analytics working, I used the sourcetype rename and renamed our "liferay" sourcetype to "access_combined" and re-extracted all of the fields using the more common standard field names the App was expecting. So now, the Splunk App for Web Analytics works great, but all of my previously built custom web stats dashboards are broken because the old sourcetype (and associated field extractions) is no longer recognized.
Is there a way to have a single sourcetype respond to two different names, like a field alias? Or do I have to go and do a bunch of find & replace work and change all my old dashboards?
↧