Getting Data In

Sourcetype renaming itself!

attgjh1
Communicator

ok. so i uploaded this log once.
let's call it logA.csv with sourcetype: temp
the monitor looks something like this: [ ...desktop\folder\logA.csv]

so ive done my field extractions and everything and am pretty confident to get on with monitoring the entire directory. so i changed my monitor in inputs.conf to:
[...desktop\folder\]

blacklist = *.xls

disabled = false

followTail = 0

sourcetype = temp

and restarted splunk.

now i have several sourcetypes inside: temp, temp-2, temp-3, temp-4

is there anyway to fix this? temp-2, temp-3, temp-4 doesnt show up in props.conf at all as well.
was there any step that went wrong?

Tags (1)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

This is a known feature of how Splunk treats CSV files. By default it will look for a header and extract the fields from that.

If it finds files that differ a little bit in your directory, it will create a new sourcetype-n

There are a few posts here regarding this behaviour and how to fix it, here is one of them:
http://splunk-base.splunk.com/answers/24986/iis-log-fields-not-parsing


UPDATE:

You can rename sourcetypes as well, it will not really change things that are already indexed, but you can access them using the same sourcetype name in your searches.

http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Renamesourcetypes

Or you could use sourcetype=temp* in your searches.

Hope this helps,

Kristian

View solution in original post

kristian_kolb
Ultra Champion

This is a known feature of how Splunk treats CSV files. By default it will look for a header and extract the fields from that.

If it finds files that differ a little bit in your directory, it will create a new sourcetype-n

There are a few posts here regarding this behaviour and how to fix it, here is one of them:
http://splunk-base.splunk.com/answers/24986/iis-log-fields-not-parsing


UPDATE:

You can rename sourcetypes as well, it will not really change things that are already indexed, but you can access them using the same sourcetype name in your searches.

http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Renamesourcetypes

Or you could use sourcetype=temp* in your searches.

Hope this helps,

Kristian

kristian_kolb
Ultra Champion

see update above. /k

0 Karma

attgjh1
Communicator

i see.
i deleted all the headers as the first time i indexed the file. they ran it in as an event line T_T
but i ensured the rest of the logs were the same format as the first after i extracted my own fields.

is there anyway to reverse it? i dont think i can simply reindex the same files now.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...