I have a logs stored in splunk and they are of sourcetype=test, but I recently found this app that parses these type of logs but it needs a different sourcetype (sourcetype=good_type) to parse them. I tried sourcetype renaming but it only changed the name of the sourcetype but the logs did not get parsed by the app.
You will need to change the sourcetype on the host machine(s) where the forwarder is installed on. You will edit the inputs.conf
and change the sourcetype there
What's the name of the app and which machine did you install the app on? I'm assuming you will need it installed on the indexer since that does the parsing..
After setting the new sourcetype, I assume you want to re-index the data, right? It means running the soft delete using | delete
for this data and clearing the caching in the fishbucket
- definitely at the forwarder level but potentially also at the index level.
Then when re-indexing and having the modified inputs.conf
, you should be fine.
You will need to change the sourcetype on the host machine(s) where the forwarder is installed on. You will edit the inputs.conf
and change the sourcetype there
What's the name of the app and which machine did you install the app on? I'm assuming you will need it installed on the indexer since that does the parsing..
It's TA for Symantec Endpoint Protection (syslog), I installed the app on the search head and the forwarder, I would need to install it on the indexer right?
Are you using Universal Forwarders or a Heavy Forwarder?
Universal forwarders are unable to parse data, they can only forward data to the indexer which will then parse it. So for this app to work, it will need to be on the indexer and you will need to change your sourcetype name on the forwarder in the inputs.conf
file.
So go onto one of your forwarders to test this and go to
Splunk/etc/system/local/inputs.conf
and change your sourcetype
would I add a stanza like this one to inputs.conf to change the sourcetype?
[test]
rename=good_type
Your stanza in inputs.conf
should look like this
Make sure to put in the hostname of the machine, the path you want to monitor, and the index you want this to go into.. Also make sure you restart the forwarder service after making these changes
[default]
host = SERVERNAME
[monitor://PATH_NAME]
disabled = false
sourcetype = good_type
index = YOUR INDEX
Were you able to get this going? If this helped then can you accept/like the answer
You would need to update the inputs.conf using which the data is collected to change the sourcetype from test to good_type (recommended). In order for new sourcetype parsing to take place, it has to apply before it's indexed.