- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Where to re-define a sourcetype when accidentally ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where to re-define a sourcetype when accidentally set wrong in inputs.conf
Hi,
I have set a inputs.conf stanza on my indexer that looks like this.
[tcp://10.X.X.X:1500]
disabled = false
index = blablabla
sourcetype = webservers
host = blablabla.bla.de
Everything seems to be fine. The data gets received and indexed correctly. It shows up with sourcetype="webservers" after searching.
But. I can't find the sourcetype "webservers" via splunk web.
I think I did something wrong and should have set the sourcetype via props.conf in the first place.
Can you give me an example of a stanza on how to set a sourcetype for a data-receiving via tcp:1500 in props.conf?
Thank you very much!
Kind regards,
pyro_wood
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The sourcetype must have been defined on Indexers, so there definition will not be available in Search Head's Splunk Web. Try to login to Splunk Web (if enabled) of Indexer OR just run btool on Indexer server for the sourcetype see the definition
splunk cmd btool props list webservers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, I'll try it out 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The most common reasons for this problem are
(1) Index "blablabla" is not searchable for your role by default. Try searching for index=blablabla sourcetype=webservers or index=* sourcetype=webservers
(2) Your role has no access to index "blablabla" at all
The best place to set the sourcetype for an input is inputs.conf - you did exactly the right thing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Iguinn,
thank you for your reply. But unfortunately those two suggestions are not the case.
I'm logged in as the standard splunk admin user and I can search and have the right to view the index and the sourcetype.
Somehow I can't find the defined sourcetype via splunk web. Not on the SH, Master nor the indexer-peers.
When I do a grep -r "webservers" /splunk/ on one of the indexers if find the sourcetype in files like this:
/splunk/etc/slave-apps/_cluster/local/inputs.conf:sourcetype = webservers
/splunk/etc/slave-apps/_cluster/local/props.conf:sourcetype=webservers
....
Do you any other idea, what could have gone wrong there?
Thanks again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Iguinn,
I've noticed the strange behavior.
If I want to add data via splunk web I can find and select the sourcetype "webservers".
But if I go under settings -> sourcetypes I don't find "webservers" anywhere.
Maybe this is normal behavior, I'm just curious and confused.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
