Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder app not going to correct index or sourcetype

Branden
Builder
‎04-10-2014 05:55 PM

I'm trying to do what has always been a routine task for me: I'm indexing data as specified in inputs.conf on a Universal Forwarder. I want force the sourcetype and the target index. I have done this many times in the past, but for some reason it's not working for me this time. The notable difference is that I'm new to v6.X... I've been using 5.0.X until recently.

Here is my inputs.conf on the UF:

[monitor:///var/log/celery/*]
index = perma
sourcetype = celery
disabled = 0

[monitor:///var/log/gunicorn/*]
index = perma
sourcetype = gunicorn
disabled = 0

[monitor:///var/log/nginx/*]
index = perma
sourcetype = nginx_access
disabled = 0

[monitor:///var/log/rabbitmq/*]
index = perma
sourcetype = rabbitmq
disabled = 0

The inputs.conf looks okay, but it's putting the data in the "main" index, and coming up with its own sourcetypes instead of the sourcetype I provided.

I ran the btool command as instructed in similar posts. Everything looks fine there.

Am I missing something silly here?

Thanks!

0 Karma
Reply

dkuk
Path Finder
‎04-11-2014 11:51 AM

Hi,

The indexes are definitely created on the indexer(s) already right? (have to ask just in case).

So does the output of the following command from $SPLUNK_HOME$/bin folder have the index and sourcetype set as desired? Sounds like you have checked this bit but just checking for this exact usage. 

./splunk cmd btool inputs list --debug

Have you got any props and transforms on the indexer that could be overriding the index and sourcetype to the wrong values? I.e. if you run ./splunk cmd btool props list --debug is there anything picking up that folder/source and overriding the index and/or sourcetype. What's the sourcetype being set to for a given example from the inputs.conf above.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...