Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do we overcome high number of sourcetypes and incorrect ingestion in Splunk Cloud instance?

AL3Z
Builder
‎05-09-2023 11:10 PM

Hi All,

In our Splunk Cloud instance, we are experiencing a significant increase in the number of sourcetypes, and it seems that a considerable portion of these sourcetypes are being ingested incorrectly. This incorrect ingestion is likely causing an inflation in the overall count of sourcetypes.
How do we over come from this issue?

0 Karma
Reply

glc_slash_it
Path Finder
‎05-10-2023 02:49 AM

Hi,

where is this information coming from? On-prem forwarder? If so, check your any recently updated inputs.conf files.

Maybe there is an incorrect configuration to index all files in a folder or sub-folder.

0 Karma
Reply

AL3Z
Builder
‎05-11-2023 04:07 AM

@glc_slash_it ,

I believe when I query the data   | metadata index=* type=sourcetypes it  appear to be ingesting incorrectly.
How do we correct the ingestion of these sourcetypes ?

0 Karma
Reply

glc_slash_it
Path Finder
‎05-13-2023 02:05 AM

Hi,

That command:  "| metadata index=* type=sourcetypes" is just a way of seeing metadata on which sourcetypes are being applied in splunk. It has nothing to do with the actual events/logs of your information.

For that you should search the specific indexes (e.g. index=abc) and:

- first check if the important fields are correct: _time, host, sourcetype and source

- second check for any field extractions, if they are also correct and then analyze if you need any more field extractions for you use cases.

 

 

0 Karma
Reply

AL3Z
Builder
‎05-14-2023 07:18 AM

@glc_slash_it ,

I'm seeing  a huge number of buffer.* sourcetype which are present in one of the index, how do we change the sourcetype  into single sourcetype ?

Thanks

0 Karma
Reply

glc_slash_it
Path Finder
‎05-14-2023 12:59 PM

That depends on the source of the logs and how you are ingesting them into Splunk.

Usually you need to configure the inputs.conf file to tell Splunk which files to ingest and which sourcetype should be applied to those files. Something like this:

[monitor:///home/jenkins/folder/dir]
host = <name_of_the_server_producing_logs>
sourcetype = <desired_sourcetype> (can be a known sourcetype like "cisco:asa" or a custom one)
index = abc
disabled = false
 
But again this is just an example, it depends on how you are collecting the logs and Splunk has many ways to configured log collection.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...