https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641304#M109387 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252540">@tretrigh</a>,</P><P>sometimes (I don't know why) there's some situation when in the add-on isn't defined the sourcetype, so Splunk automatuically assign the sourcetype based on its knowledge and sometimes it cannot find the correct one.</P><P>So analyze your logs where there's a too small sourcetype, find the Add-On with that input and manually assign the correct one in the add-on.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 25 Apr 2023 15:51:45 GMT gcusello 2023-04-25T15:51:45Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641286#M109382 <P>In our distributed enterprise Splunk environment we have a log file being generated on each Splunk host (indexers, search head, deployment server, etc) located at:&nbsp;<STRONG>/opt/splunk/var/log/splunk/foo.log</STRONG></P> <P>By default this gets logged to <STRONG>_internal</STRONG> using the <STRONG>foo-too_small </STRONG>source type.</P> <P>We now want to change the source type to one we created (<STRONG>my:custom:sourcetype</STRONG>).&nbsp; I have created the following <STRONG>props.conf</STRONG> file on the deployment server as a custom app and deployed successfully via apply cluster-bundle.&nbsp; However, new log data is still being associated with the existing source type of foo-too_small.&nbsp; We also set the local.meta file (under metadata) for permissions.</P> <P>I have verified this file is making it to the indexers in peer-apps.</P> <P>&nbsp;</P> <LI-CODE lang="markup">[my:custom:sourcetype] TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N MAX_TIMESTAMP_LOOKAHEAD = 25 [source::.../var/log/splunk/foo.log] sourcetype = my:custom:sourcetype</LI-CODE> <P>&nbsp;</P> <P><STRONG>Questions:</STRONG></P> <OL> <LI><STRONG>Why isn't this working?</STRONG></LI> <LI><STRONG>What needs to be done instead to change to a custom source type?</STRONG></LI> </OL> <P>Thank you in advance!</P> Tue, 25 Apr 2023 17:44:39 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641286#M109382 tretrigh 2023-04-25T17:44:39Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641290#M109383 <P><A href="https://docs.splunk.com/Documentation/Splunk/Latest/Admin/Propsconf#Small_file_settings" target="_blank">https://docs.splunk.com/Documentation/Splunk/Latest/Admin/Propsconf#Small_file_settings</A></P> Tue, 25 Apr 2023 15:01:32 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641290#M109383 PickleRick 2023-04-25T15:01:32Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641296#M109384 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252540">@tretrigh</a>,</P><P>check if in your forwarders, there's some input without sourcetype definition.</P><P>You can do it analyzing host and source values.</P><P>Assign the correct sourcetype to all your inputs.</P><P>ciao.</P><P>Giuseppe</P> Tue, 25 Apr 2023 15:19:33 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641296#M109384 gcusello 2023-04-25T15:19:33Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641302#M109385 <P>Thank you for the reply.&nbsp; I might be missing something obvious, but unsure how any of these settings might help us reassign the source type to something else.&nbsp; Could you please provide further elaboration?&nbsp; Thank you!</P> Tue, 25 Apr 2023 15:40:55 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641302#M109385 tretrigh 2023-04-25T15:40:55Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641303#M109386 <P>Thank you for the reply.&nbsp; Do you have any specific guidance on how to apply the correct source type to our data in our situation?</P> Tue, 25 Apr 2023 15:42:13 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641303#M109386 tretrigh 2023-04-25T15:42:13Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641304#M109387 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252540">@tretrigh</a>,</P><P>sometimes (I don't know why) there's some situation when in the add-on isn't defined the sourcetype, so Splunk automatuically assign the sourcetype based on its knowledge and sometimes it cannot find the correct one.</P><P>So analyze your logs where there's a too small sourcetype, find the Add-On with that input and manually assign the correct one in the add-on.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 25 Apr 2023 15:51:45 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641304#M109387 gcusello 2023-04-25T15:51:45Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641305#M109388 <P>Thanks for the reply&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;.&nbsp; In this situation there is no add on.&nbsp; The log file on each Splunk host is generated by a script we wrote.&nbsp; We have attempted to manually define the source type for this specific log unsuccessfully.&nbsp; Do you have any suggestions for how to correctly manually define the source type other than what we've already done?&nbsp; Thank you for the assistance!</P> Tue, 25 Apr 2023 15:57:27 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641305#M109388 tretrigh 2023-04-25T15:57:27Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641327#M109391 <P>Every Splunk input should have a sourcetype assigned to it.</P><P>Every sourcetype needs to be defined in a props.conf file.</P><P>Every props.conf stanza should have the "Great Eight" attributes, at a minimum.</P><LI-CODE lang="markup">[mysourcetype] TIME_PREFIX = TIME_FORMAT = MAX_TIMESTAMP_LOOKAHEAD = TRUNCATE = SHOULD_LINEMERGE = false LINE_BREAKER = EVENT_BREAKER = EVENT_BREAKER_ENABLE = true</LI-CODE><P>Set values for each attribute that correspond to the data being ingested.</P> Tue, 25 Apr 2023 17:29:17 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641327#M109391 richgalloway 2023-04-25T17:29:17Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641339#M109392 <P>Answering my own question here:</P><OL><LI>Several indexers were not automatically getting the new source type applied for unknown reasons.&nbsp; I was specifically looking at one which was not.&nbsp; A reboot of each indexer missing the source type resolved the issue.&nbsp; A splunkd restart would probably have been sufficient.&nbsp; All indexers are working as intended.</LI><LI>I added the app to each splunk host (SH, deployment server, etc) which defines the new source type.&nbsp; A debug refresh populated the new source type correctly on each host.&nbsp; I incorrectly assumed that the app's presence on the indexers would affect the data coming from each of the splunk hosts.</LI></OL> Tue, 25 Apr 2023 19:31:06 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641339#M109392 tretrigh 2023-04-25T19:31:06Z https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641384#M109393 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252540">@tretrigh</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 26 Apr 2023 06:46:21 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-source-type-stuck-on-too-small/m-p/641384#M109393 gcusello 2023-04-26T06:46:21Z