Solved: Re: What is this 'Learned' file under apps?

nce054 · ‎06-17-2015

I was just poking around to find out why my data had this strange sourcetype history-y2016-m06-d-10, and when I went to C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local, I found a props.conf and sourcetypes.conf. It's like it has been recording what I have it reading from inputs.conf? What are these files generated for?

yannK · ‎06-17-2015

This is the learned app, it is unique to each instance, and dynamically populated.
Where splunk store automatic sourcetypes (for each file that was monitored without specifying a sourcetype)

see the very last remark of this page :
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Whysourcetypesmatter

View solution in original post

yannK · ‎06-17-2015

This is the learned app, it is unique to each instance, and dynamically populated.
Where splunk store automatic sourcetypes (for each file that was monitored without specifying a sourcetype)

see the very last remark of this page :
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Whysourcetypesmatter

nce054 · ‎06-17-2015

Thanks! That explains it well.

abhinav_maxonic · ‎04-06-2016

If we have too many sourcetypes, say around in 1600 in props.conf, does it affects the indexing & search performance ? If yes, it would be great if you could help me understand the logic behind it .

Thanks in Advance !!

What is this 'Learned' file under apps?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...