I have a syslog feed sending me firewall data from a linux system. It calls that sourcetype syslog, of course.
I'm following the docs here:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Createsourcetypes
and have added the stanza in my props.conf:
[source::/var/log/firewall.log]
sourcetype = firewall
And it doesn't work.
I see in some places (online docs and answers, and in the default/props.conf) that it uses the stanza format with leading "...":
[source::.../var/log/firewall.log]
sourcetype = firewall
I tried that as well, no work.
True to Splunk documentation, it doesn't say WHERE in a clustered environment I need to put this. So, I slowly added it at every level, still no workie. I added that props to the forwarders. I added it to the indexers (deployed via master). I added it to the search heads.
thoughts?
Hi Michael,
you have to associate your sourcetype to your data flow in inputs.conf (see http://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf), e.g.:
[udp://syslog.corp.company.net:514]
sourcetype = syslog
...
and define your sourcetype's features in props.conf (see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf), e.g.:
[syslog]
SHOULD_LINEMERGE = True
...
Bye.
Giuseppe
Hi,
you need to use inputs.conf to define the source of data that is being ingested. I see how the naming there can be confusing. If your data for that Linux firewall is forwarded, you should have inputs.conf with the source on the forwarders and the indexer.
In inputs.conf you then specify the sourcetype, so you don't have to use it again in in props.conf.
Inputs.conf:
[source::/var/log/firewall.log]
sourcetype = firewall
index = (if you don't use an index here, it will go to main)
props.conf:
[firewall]
SHOULD_LINEMERGE = True
...
..
Hi Michael,
you have to associate your sourcetype to your data flow in inputs.conf (see http://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf), e.g.:
[udp://syslog.corp.company.net:514]
sourcetype = syslog
...
and define your sourcetype's features in props.conf (see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf), e.g.:
[syslog]
SHOULD_LINEMERGE = True
...
Bye.
Giuseppe
Thank you Guiseppe, I will try that.
Do you have any idea WHERE I do that? Forwarders? Indexers? Search-heads? I'll try them one at a time and see what happens.
I sure wish the documentation would have mentioned that little tidbit, that it needs to be in both...
Thank you sir. That did the trick.
I added them to the forwarder.
Hi Michael,
inputs.conf usually is on:
props.conf is usually on Indexers and Search Heads, except for csv files monitoring that must be also on Forwarders.
Bye.
Giuseppe
Hey @gcusello ,
If i describe about sourcetype in props.conf in forwarder itself, then will that be considered?
props.conf either in system/default or system/local/props.conf., not in specific app.
Thanks,
Sarvesh
I haven't had to do that yet, but have you tried using the GUI to have splunk figure out the right syntax for you?
http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Setsourcetype
Not yet. I did see that. Maybe tomorrow, I need to do something productive for the rest of the afternoon...
I guess after using Splunk for the half-dozen years that I have, and continually RTFM, only to have what it says NOT work, is starting to wear way thin...