Universal forwarder Sourcetype name changes itself

ea7777777 · ‎04-20-2020

Hello,

a Universal Forwarder (7.0.1) is watches an textfile. The parameter are following:

[default]
host = RBD9EUFN

[monitor://C:\ProgramData\Cognex\In-Sight\Splunk\Log_Cam]
index = rbg_ff1_stand_allone_ant2
sourcetype = rbg_ff1_stand_allone_ant2_sourcetype

crcSalt = <SOURCE>
followTail = 1

The strange thing is, the sourcetype name changes itself! Why?

PavelP · ‎04-20-2020

Hello @ea7777777 ,

are the log files in this folder being renamed? If yes, do they have the similar suffix (1-2-2-2)?

check on indexer (and on UF too, if you use INDEXED_EXTRACTIONS or local_processing) if there is any sourcetype renaming in any transforms.conf file:

on linux:

grep -Er MetaData:Sourcetype /opt/splunk/etc/*

on Windows:

findstr /s MetaData:Sourcetype c:\ProgramFiles\Splunk\etc\*

or by using btool

splunk btool transforms list --debug |grep MetaData:Sourcetype

splunk btool transforms list --debug |findstr MetaData:Sourcetype

richgalloway · ‎04-20-2020

The host name in your screen shot does not match the host name in your config.

---
If this reply helps you, Karma would be appreciated.

codebuilder · ‎04-20-2020

Try this instead:

tstats count where index=rbg_ff1_stand_allone_ant2 by sourcetype

----
An upvote would be appreciated and Accept Solution if it helps!

Universal forwarder Sourcetype name changes itself

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio