Getting Data In

How do I change the sourcetype on my Splunk forwarder from "syslog" to "json_no_timestamp"?

prees
Explorer

I am using a Splunk forwarder with a main Splunk server. The forwarder is listening on udp port 1514. And is sending logs to my Splunk server on port 9997.

Everything is working as far as I can tell. On the forwarder though, I want to change the sourcetype from syslog to json_no_timestamp. When I do this though, logs do not get sent through anymore.

In case it is relevant, I am running these all as docker containers. The syslogs that are coming in are being sent from docker containers, and the forwarder and main Splunk instance are separate containers.

I am not sure where the problem could be, any input would be greatly appreciated! It's possible the issue is with the container configuration or with Splunk itself? But it does all work when set to syslog so I am not sure.

I posted a trimmed down docker-compose file and and the Splunk logs and results from splunk cmd btool inputs list
https://gist.github.com/prees1/c26a305c4e012a395c78
There doesn't appear to be anything out of place in those files, from what I can tell.

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

json_no_timestamp is a pre-trained sourcetype: http://docs.splunk.com/Documentation/Splunk/6.3.1511/Data/Listofpretrainedsourcetypes

I wonder if that's causing some unexpected side effects because I would expected a json sourcetype to be coming from a plain text file and not via UDP. Can you try to name it something else and see what happens?

View solution in original post

javiergn
SplunkTrust
SplunkTrust

json_no_timestamp is a pre-trained sourcetype: http://docs.splunk.com/Documentation/Splunk/6.3.1511/Data/Listofpretrainedsourcetypes

I wonder if that's causing some unexpected side effects because I would expected a json sourcetype to be coming from a plain text file and not via UDP. Can you try to name it something else and see what happens?

prees
Explorer

I should have mentioned that I have tried setting it to access_combined and _json, both of which worked. However my logs are not in that format, so ultimately it doesn't work.

Are certain sourcetypes only allowed for file vs network inputs?

0 Karma

javiergn
SplunkTrust
SplunkTrust

I'm not too familiar with the _json* sourcetypes but worst case scenario, name it something random in your forwarder and then rename this sourcetype to json_no_timestamp before indexing at Indexer level and see if that works.

prees
Explorer

That seems to have worked. I roughly followed how to rename it from this post here:

https://answers.splunk.com/answers/52198/change-sourcetype-index-after-data-is-indexed-from-forwarde...

Thank you!

However it is not indexing or extracting my json properly but I think that is due to the prefix syslog being added to my logs now - unrelated separate issue.

0 Karma

ppablo
Retired

Hi @prees

Don't forget to accept @javiergn's answer to show this post as resolved and upvote the answer/comment that helped you.

0 Karma

prees
Explorer

alright I will give that a try, thanks! As I am new to splunk, when you say 'rename' the source type, which config file would that be a part of? Is it related to transform or props? I am still getting up to speed on configuring splunk. Thanks again!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...