Hi all,
I realized then Splunk hasn't been correctly auto-setting the sourcetypes for my incoming logs, resulting in lots of sourcetypes.
Now, when I want to do field extractions, I'm unable to do so to multiple logs at once since they have different sourcetypes.
Is it possible for me to set two sourcetypes to a single source so that I can do field extractions for the new sourcetype while keeping the old extractions for the old sourcetype?
↧