Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I configure custom sourcetypes on Universal Forwarders and Indexers?

rob_lamb
Explorer
‎02-02-2016 02:17 PM

I have two Linux VMs set up, one with a Universal Forwarder and one with an Indexer. I have a script that generates dummy data (on the forwarder) that needs a custom sourcetype set up in order to parse the events correctly.

On the Universal Forwarder props.conf is currently empty, and inputs.conf contains:

[monitor:///home/splunk/data/data1*.soap]
_TCP_ROUTING = SOAP
disabled = false
sourcetype = soaptype

On the Indexer, props.conf contains:

[soaptype]
BREAK_ONLY_BEFORE = <SOAP-ENV:Envelope
TIME_PREFIX = <ns1:dateRequested>

As of right now my events aren't making it into the indexer at all. If I remove the sourcetype from inputs.conf and props.conf, data appears, but it is splitting the events incorrectly.

Any suggestions? Many thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎02-02-2016 02:56 PM

Sounds like you have a few problems here.. First let's address the forwarder not sending data to the indexer.. Do you have the hostname specified in the outputs.conf on the forwarder? If not then this will solve your problem, don't forget to restart the Splunk service on the forwarder

Your next issue is defining the sourcetype so it remains constant. Go into the props.conf on the indexer and add this stanza then restart your Splunk service on the indexer. If you specify if your sourcetype in the props.conf then it will automatically default to what you specified when the data is being indexed 

[soaptype]
 BREAK_ONLY_BEFORE = <SOAP-ENV:Envelope
 TIME_PREFIX = <ns1:dateRequested>
 sourcetype = soaptype

View solution in original post

Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎02-02-2016 02:56 PM

Sounds like you have a few problems here.. First let's address the forwarder not sending data to the indexer.. Do you have the hostname specified in the outputs.conf on the forwarder? If not then this will solve your problem, don't forget to restart the Splunk service on the forwarder

Your next issue is defining the sourcetype so it remains constant. Go into the props.conf on the indexer and add this stanza then restart your Splunk service on the indexer. If you specify if your sourcetype in the props.conf then it will automatically default to what you specified when the data is being indexed 

[soaptype]
 BREAK_ONLY_BEFORE = <SOAP-ENV:Envelope
 TIME_PREFIX = <ns1:dateRequested>
 sourcetype = soaptype
Reply
Solved! Jump to solution

rob_lamb
Explorer
‎02-03-2016 07:47 AM

I've added "sourcetype = soaptype" to my [soaptype] stanza on the indexer's props.conf per your note above, and restarted the indexer. I also cleaned up my outputs.conf file on my Universal Forwarder and restarted that.
When I dropped in a new file, the indexer picked it up and parsed it correctly. Thanks very much for the assistance!

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...