ok. so i uploaded this log once.
let's call it logA.csv with sourcetype: temp
the monitor looks something like this: [ ...desktop\folder\logA.csv]
so ive done my field extractions and everything and am pretty confident to get on with monitoring the entire directory. so i changed my monitor in inputs.conf to:
[...desktop\folder\]
blacklist = *.xls
disabled = false
followTail = 0
sourcetype = temp
and restarted splunk.
now i have several sourcetypes inside: temp, temp-2, temp-3, temp-4
is there anyway to fix this? temp-2, temp-3, temp-4 doesnt show up in props.conf at all as well.
was there any step that went wrong?
This is a known feature of how Splunk treats CSV files. By default it will look for a header and extract the fields from that.
If it finds files that differ a little bit in your directory, it will create a new sourcetype-n
There are a few posts here regarding this behaviour and how to fix it, here is one of them:
http://splunk-base.splunk.com/answers/24986/iis-log-fields-not-parsing
UPDATE:
You can rename sourcetypes as well, it will not really change things that are already indexed, but you can access them using the same sourcetype name in your searches.
http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Renamesourcetypes
Or you could use sourcetype=temp*
in your searches.
Hope this helps,
Kristian
This is a known feature of how Splunk treats CSV files. By default it will look for a header and extract the fields from that.
If it finds files that differ a little bit in your directory, it will create a new sourcetype-n
There are a few posts here regarding this behaviour and how to fix it, here is one of them:
http://splunk-base.splunk.com/answers/24986/iis-log-fields-not-parsing
UPDATE:
You can rename sourcetypes as well, it will not really change things that are already indexed, but you can access them using the same sourcetype name in your searches.
http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Renamesourcetypes
Or you could use sourcetype=temp*
in your searches.
Hope this helps,
Kristian
see update above. /k
i see.
i deleted all the headers as the first time i indexed the file. they ran it in as an event line T_T
but i ensured the rest of the logs were the same format as the first after i extracted my own fields.
is there anyway to reverse it? i dont think i can simply reindex the same files now.