Sourcetype not changing for windows application lo...

jericksonpf · ‎08-28-2013

I have a universal forwarder sending the application logs for a windows 2003 server we have that only runs one application.

Here is what my inputs.conf stanza looks like:

[WinEventLog:Application]
index=radical_index
sourcetype=bizznezz

However the logs show up in splunk as WinEventLog:Application no matter how many times i restart the service.

Interestingly as a test i changed the hostname on the inputs.conf and that change was immediately reflected

lukejadamec · ‎08-28-2013

It sounds like one of your other apps is mining data and tagging it with the windows application source type.

If your bizznezz sourcetype has data, then you really are asking how to stop the other apps from also sourcetyping this data.

lukejadamec · ‎09-04-2013

I'm pretty sure the stanza you're looking for is in splunk/etc/apps/windows/default/eventgen/transforms.conf
But I don't know how to change it to make it stop tagging your logs.
I still don't really understand, why is it a problem to have them all tagged with the application sourcetype?

jericksonpf · ‎09-04-2013

where do i check whcih apps are sourcetyping? do i have to looks at the props.conf for each app? Doesn't splunk itself autmatically generate fields

jericksonpf · ‎08-28-2013

yes they are receiving events. These are biztalk logs

lukejadamec · ‎08-28-2013

What windows related apps do you have installed on the forwarder and indexer?

Also, is the sourcetype bizznezz populated with the data?

Sourcetype not changing for windows application logs

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms