- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- where are source type names created?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
where are source type names created?
I'm wondering if there are other locations than inputs.conf, props.conf that a sourcetype might be named/assigned. I have data that's supposed to be marked with sysinfo_binfiles. When I search for this under the app context, I see no sysinfo_binfiles. However binfiles is a sourcetype, yet I cannot find where this is set. I see in my data inputs list, that the the input source for the sourcetype sysinfo_binfiles has 0 files, so im wondering if they're being sent to another sourcetype.
UPDATE:
Ill have a look at the docs. So for the data input, I used a CIFS mount to where the files are. Then the folder looks like /mnt/server/folder1/*/binfiles.csv. The csv has a list of binaries installed. Then I specify a manual sourcetype for that input as sysinfo_binfiles. Now I browse to the app that this input is for and do a search:
index=* sourcetype="sysinfo_binfiles"
and it returns nothing. if i search the index for that the data is being submitted to, i see a sourcetype=binfiles.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
edited
moved the text to an update to the original question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
see update to my original answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, transforms.conf is one place that could happen. But not without you knowing about it, you'd have to configure it yourself (through a TRANSFORMS-blah = blah in props.conf)
Still not too sure about what you really want, though.
Are you setting (e.g. in inputs.conf) a sourcetype for some input, but it doesn't show up as that sourcetype?
Or are you getting data with a strange/unwanted sourcetype, and you don't know where it's being set?
In either case you'd have to know where your data is being read, what type of forwarder is being used (if any), and in which config file to look. As you may know, there are (usually) several inputs.conf files on any given system. The same can be true for most .conf files, actually.
Check the following to see on which type of splunk instance in a deployment a setting should go.
http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Datapipeline
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F
Also, always check for typos/cApiTaLizatIOn in conf files, since that is an easy way to break what looks like a correct conf.
UPDATE:
It could be that the sourcetype binfiles is solely based on the filename where the events originate. This would indicate that your manual sourcetype assignment has failed. How did you make that assignment, and what does the config file look like?
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so my inputs.conf should be setting the sourcetype. Its entries read as:
[monitor:///mnt/server/systeminfo/*/binfiles.csv]
disabled = 0
followTail = 0
index = systeminfo
sourcetype = sysinfo_binfiles
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs and props are the two typical places, but sourcetype.conf set the document model used by the file classifier for creating source types.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
