Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

strangely Behaviuor with Sourcetype

anasshsa
Engager
‎04-26-2019 01:55 AM

I have installed a universal Forwarder on Microsoft Exchange Server and it had starting to send the data from the log files to Splunk Server. I have configured two types of Sourcetype (SEND,RECV) but strangely they became four (SEND,send-too_small,RECV,recv-too_small) and after that it had not indexed the data under SEND or RECV spurcetypes!!!!
I don't know why it's happing. Anyone have an idea!!

Thanks for help 🙂

0 Karma
Reply

PowerPacked
Builder
‎04-26-2019 11:59 AM

Hi

Splunk assigns that sourcetype to files which are having less than 100 lines or 100 events in file.

Check the PREFIX_SOURCETYPE in props.conf

Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2019 06:20 AM

The "-too_small" suffix indicates Splunk has found data which it could not match to any provided sourcetype. Make sure you have defined a sourcetype for all of the events you expect to index. Share you props.conf settings here if you need help.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...