I have results from a search that splunk has tagged as linux_secure (sourcetype) appears by default. Is there a way to turn that option off?
Thanks,
Al
Splunk 5.03
You should set sourcetypes manually in inputs.conf.
Sourcetype information is not being 'tagged' (this word has specific meaning in splunkese). When data is being input into splunk, a few metadata attributes are being set, prior to the data being stored in an index. The ones that you'll most likely come across, and which are of greatest importance to you are probably;
Once the data has been indexed, they cannot be changed. If so required, you'll need to clear your indexes and re-read the files.
Without going into too much detail, I would recommend always configuring these for 3 and 4 (only if necessary for 1 and 2). So in inputs.conf on your forwarder, assuming that is what you have;
[monitor:///some/path/to/a/file]
sourcetype = blah
index = bleh
Setting the proper sourcetype
will let you control field extraction in a manageable manner. Setting the index
will let you deal with different retention times and access rights to stored data.
http://docs.splunk.com/Documentation/Splunk/6.0/Data/Whysourcetypesmatter
http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Setupmultipleindexes
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
Hope this helps,
/K
You should set sourcetypes manually in inputs.conf.
Sourcetype information is not being 'tagged' (this word has specific meaning in splunkese). When data is being input into splunk, a few metadata attributes are being set, prior to the data being stored in an index. The ones that you'll most likely come across, and which are of greatest importance to you are probably;
Once the data has been indexed, they cannot be changed. If so required, you'll need to clear your indexes and re-read the files.
Without going into too much detail, I would recommend always configuring these for 3 and 4 (only if necessary for 1 and 2). So in inputs.conf on your forwarder, assuming that is what you have;
[monitor:///some/path/to/a/file]
sourcetype = blah
index = bleh
Setting the proper sourcetype
will let you control field extraction in a manageable manner. Setting the index
will let you deal with different retention times and access rights to stored data.
http://docs.splunk.com/Documentation/Splunk/6.0/Data/Whysourcetypesmatter
http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Setupmultipleindexes
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
Hope this helps,
/K
Thanks, your answer matches what I've slowly been learning!
Have a great weekend.
Al
It wasn't really a search, we have a OS running on top on Linux that returns specific data to our operations. Splunk tags our data linux_secure, and it appears changes some of the formatting I am used to looking at. I'd like to be able to turn the auto source_type off until I'm sure all of our audit requirements are being picked up by splunk.
sourcetypes are assigned to sources upon ingestion not tagged from the search, what's the source that's returning with this source type. What's the search you're dealing with?