https://community.splunk.com/t5/All-Apps-and-Add-ons/sourcetype-cron-cron-2-or-syslog/m-p/493109#M60706 <P>All,</P> <P>I am having issues with all versions of UF.</P> <P>I installed Splunk_TA_nix 7.0.0 on some Splunk UF 8.0.2.1 and old Splunk UF 6.2.4</P> <P>It has the following stanza in the local/inputs.conf:</P> <P>[monitor:///var/log]<BR /> whitelist=(.log|log$|messages|secure|auth|mesg$|cron$|acpid$|.out)<BR /> blacklist=(lastlog|anaconda.syslog)disabled = 0</P> <P>For some reason I have many different sourcetypes:</P> <P>| tstats count where (source=*cron earliest=-4h) by source sourcetype</P> <P>source sourcetype count<BR /> 1 /var/log/cron cron 40884<BR /> 2 /var/log/cron cron-2 41597<BR /> 3 /var/log/cron cron-3 15487<BR /> 4 /var/log/cron cron-4 3019<BR /> 5 /var/log/cron cron-5 681<BR /> 6 /var/log/cron cron-too_small 3192<BR /> 7 /var/log/cron monolith_tool_usage 169<BR /> 8 /var/log/cron sendmail_syslog 1732<BR /> 9 /var/log/cron syslog 58095</P> <P>I tried everything to find how this sourcetype is set, I cannot see anything in our indexer of UF props.conf. All the sources in the same stanza have the same issue, but cron is so far the worse.</P> <P>Any help will be very appreciated,</P> <P>Gerson Garcia</P> Wed, 30 Sep 2020 04:35:28 GMT GersonGarcia 2020-09-30T04:35:28Z https://community.splunk.com/t5/All-Apps-and-Add-ons/sourcetype-cron-cron-2-or-syslog/m-p/493109#M60706 <P>All,</P> <P>I am having issues with all versions of UF.</P> <P>I installed Splunk_TA_nix 7.0.0 on some Splunk UF 8.0.2.1 and old Splunk UF 6.2.4</P> <P>It has the following stanza in the local/inputs.conf:</P> <P>[monitor:///var/log]<BR /> whitelist=(.log|log$|messages|secure|auth|mesg$|cron$|acpid$|.out)<BR /> blacklist=(lastlog|anaconda.syslog)disabled = 0</P> <P>For some reason I have many different sourcetypes:</P> <P>| tstats count where (source=*cron earliest=-4h) by source sourcetype</P> <P>source sourcetype count<BR /> 1 /var/log/cron cron 40884<BR /> 2 /var/log/cron cron-2 41597<BR /> 3 /var/log/cron cron-3 15487<BR /> 4 /var/log/cron cron-4 3019<BR /> 5 /var/log/cron cron-5 681<BR /> 6 /var/log/cron cron-too_small 3192<BR /> 7 /var/log/cron monolith_tool_usage 169<BR /> 8 /var/log/cron sendmail_syslog 1732<BR /> 9 /var/log/cron syslog 58095</P> <P>I tried everything to find how this sourcetype is set, I cannot see anything in our indexer of UF props.conf. All the sources in the same stanza have the same issue, but cron is so far the worse.</P> <P>Any help will be very appreciated,</P> <P>Gerson Garcia</P> Wed, 30 Sep 2020 04:35:28 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/sourcetype-cron-cron-2-or-syslog/m-p/493109#M60706 GersonGarcia 2020-09-30T04:35:28Z https://community.splunk.com/t5/All-Apps-and-Add-ons/sourcetype-cron-cron-2-or-syslog/m-p/521607#M63584 <P>I want to know the answer to this too!</P> Sat, 26 Sep 2020 13:51:53 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/sourcetype-cron-cron-2-or-syslog/m-p/521607#M63584 esalesap 2020-09-26T13:51:53Z https://community.splunk.com/t5/All-Apps-and-Add-ons/sourcetype-cron-cron-2-or-syslog/m-p/533344#M64452 <P>I presume this is coming from the learned app in Splunk. Splunk automatically stores the sourcetype in props.conf if it is not mentioned by default.</P><P>Please check if the sourcetype is available in the learned app in both UF &amp; indexer. $SPLUNK_HOME\etc\apps\learned\local\</P> Wed, 16 Dec 2020 17:03:07 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/sourcetype-cron-cron-2-or-syslog/m-p/533344#M64452 saravanan90 2020-12-16T17:03:07Z https://community.splunk.com/t5/All-Apps-and-Add-ons/sourcetype-cron-cron-2-or-syslog/m-p/595654#M76722 <P>I would like to take this moment to say that your best bet is to comment out this entry in the Nix TA until Splunk has a better way to get sourcetypes from linux - cron is a great source of data but it doesn't seem that Splunk cares about making the data actually useful, at least in this instance. If you can create your own sourcetype, you should definitely share it on Github, but other than that, I don't know that we're going to be seeing any tools for this any time soon. There may be a good use case for a supplementary TA that adds onto the linux TA which monitors standard files and assigns/defines the correct sourcetypes for them.</P> Wed, 27 Apr 2022 20:47:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/sourcetype-cron-cron-2-or-syslog/m-p/595654#M76722 haraksin 2022-04-27T20:47:55Z