Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to override Splunk renaming sourcetypes xxx-1 if field name header encountered?

Glenn
Builder
‎03-18-2010 11:43 AM

This is related to an earlier question: http://answers.splunk.com/questions/490/why-do-variations-in-sourcetype-appear

This question is slightly different however, as the issue is not present in IIS logs, but in an external CSV report we monitor that contains a header of field names.

I need to have all my sourcetypes set the same so they do not have to be referenced as "ORAExtendedOrderHistory*". From what I understood from that previous question, it renames the sourcetype because it is trying to store the field names from the header, but when I look at the list of available fields, these are not available in the list anyway. Unless I misunderstood the point of this functionality, it looks like its not working for me, so I'd like to override it.

Source log /opt/oracle/admin/reports/ExtendedOrderHistoryCacti_SUNDAY.csv:

field1, field2, field3, field4, field5, field6, field7,field8,field9, field10, field11, field12,
field13,field14, field15, field16
13-MAR-2010 23:59,WEB,OS,0,2,0,2,43,42,43,23,22,23,20,20,20,14-MAR-10,13-MAR-10,14-MAR-10
14-MAR-2010 00:00,WEB,OS,1,1,0,2,69,47,91,29,27,30,41,17,64,14-MAR-10,14-MAR-10,14-MAR-10
...

Monitors in inputs.conf:

[monitor:///opt/oracle/admin/reports/ExtendedOrderHistoryCacti_MONDAY.csv]
sourcetype = ORAExtendedOrderHistory
disabled = false

[monitor:///opt/oracle/admin/reports/ExtendedOrderHistoryCacti_TUESDAY.csv]
sourcetype = ORAExtendedOrderHistory
disabled = false

[monitor:///opt/oracle/admin/reports/ExtendedOrderHistoryCacti_WEDNESDAY.csv]
sourcetype = ORAExtendedOrderHistory
disabled = false

[monitor:///opt/oracle/admin/reports/ExtendedOrderHistoryCacti_THURSDAY.csv]
sourcetype = ORAExtendedOrderHistory
disabled = false

[monitor:///opt/oracle/admin/reports/ExtendedOrderHistoryCacti_FRIDAY.csv]
sourcetype = ORAExtendedOrderHistory
disabled = false

[monitor:///opt/oracle/admin/reports/ExtendedOrderHistoryCacti_SATURDAY.csv]
sourcetype = ORAExtendedOrderHistory
disabled = false

[monitor:///opt/oracle/admin/reports/ExtendedOrderHistoryCacti_SUNDAY.csv]
sourcetype = ORAExtendedOrderHistory
disabled = false
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 12:17 AM

It is doing this because there is a built-in rule that takes any file name ending in .csv and forces the header check and sourcetype generation. You can override this by putting this in props.conf:

[source::.../ExtendedOrderHistory*.csv]
sourcetype = ORAExtendedOrderHistory
priority = 101

or some other appropriate source pattern. You can repeat this multiple times for multiple source patterns if needed.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 12:17 AM

It is doing this because there is a built-in rule that takes any file name ending in .csv and forces the header check and sourcetype generation. You can override this by putting this in props.conf:

[source::.../ExtendedOrderHistory*.csv]
sourcetype = ORAExtendedOrderHistory
priority = 101

or some other appropriate source pattern. You can repeat this multiple times for multiple source patterns if needed.

Reply
Solved! Jump to solution

Glenn
Builder
‎03-22-2010 05:10 PM

Yup, that's done it thanks.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 06:36 PM

This needs to be set on the forwarder actually, not the indexer. It's one of the few props.conf settings that happens on the input side before parsing. See: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F

0 Karma
Reply
Solved! Jump to solution

Glenn
Builder
‎03-19-2010 03:29 PM

I added the following to props.conf on my indexer:
[source::.../OrderHistoryCacti_*.csv]
sourcetype = ORAOrderHistory
priority = 101

[source::.../ExtendedOrderHistoryCacti_*.csv]
sourcetype = ORAExtendedOrderHistory
priority = 102

After running "| extract reload=T" on my indexer, I am still seeing the sourcetypes as "ORAExtendedOrderHistory-7" as they were before the change. Should I expect the change to be reflected immediately? Or will it only happen once the file rolls and Splunk encounters a new one?

0 Karma
Reply
Solved! Jump to solution

BunnyHop
Contributor
‎03-18-2010 04:51 PM

when you see the sourcetype as xxxxxx-1 Splunk tries to learn the data. For some reason, it doesn't know how to handle the csv files correctly.

I had to convert mine to a txt file for it to be considered into the sourcetype that I specified.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...