https://community.splunk.com/t5/Getting-Data-In/Issue-with-Sourcetype-name/m-p/658454#M111374 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp; No luck!&nbsp; But I confirm there is no other files and settings.</P><P>Command used : index=vmware | stats count by sourcetype</P><P>Currently syslog is ingesting via universal forwarder.</P><P>Current configuration</P><P><STRONG>input.conf</STRONG><BR />[monitor:///opt/syslog/vmware/10.149.xx.xx/*-syslog.log]<BR />disabled = false<BR />host_segment = 4<BR />index = vmware-vclog<BR />sourcetype = vclog<BR />initCrcLength = 2048</P><P><STRONG>Props.conf</STRONG><BR />[source::/opt/syslog/vmware/10.149.xx.xx/*]<BR />TRANSFORMS-null= setnull</P><P>[vclog]<BR />LINE_BREAKER = ([\r\n]+)\&lt;\d+\&gt;\d<BR />SHOULD_LINEMERGE = false</P><P><STRONG>transforms.conf</STRONG><BR />[setnull]<BR />REGEX = ^\w+\W<BR />DESK_KEY = queue<BR />FORMAT = nullQueue</P> Fri, 22 Sep 2023 19:04:39 GMT alexspunkshell 2023-09-22T19:04:39Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-Sourcetype-name/m-p/658445#M111372 <P>I am getting different sourcetype name in my logs. But I want the sourcetype name as per conf file.</P><P>Below are the screenshots of input.conf, props.conf &amp; transforms.conf .</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexspunkshell_0-1695400950043.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/27280iFE74511CE0262FDC/image-size/medium?v=v2&amp;px=400" role="button" title="alexspunkshell_0-1695400950043.png" alt="alexspunkshell_0-1695400950043.png" /></span></P><P>Props &amp; Transforms</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexspunkshell_2-1695401306383.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/27282iAD95E45C777FD2A6/image-size/medium?v=v2&amp;px=400" role="button" title="alexspunkshell_2-1695401306383.png" alt="alexspunkshell_2-1695401306383.png" /></span></P><P>&nbsp;</P><P>Inputs</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexspunkshell_3-1695401342803.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/27283i86E44049C3B4CA37/image-size/medium?v=v2&amp;px=400" role="button" title="alexspunkshell_3-1695401342803.png" alt="alexspunkshell_3-1695401342803.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 22 Sep 2023 16:52:41 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-Sourcetype-name/m-p/658445#M111372 alexspunkshell 2023-09-22T16:52:41Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-Sourcetype-name/m-p/658450#M111373 <P>Please use btool to ensure no other files add settings for the sourcetype.</P><P>&nbsp;</P><LI-CODE lang="markup">splunk btool --debug props list vclog | grep -v "system\/default"</LI-CODE><P>&nbsp;</P><P>What query created the output in the first screenshot?</P> Fri, 22 Sep 2023 20:01:42 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-Sourcetype-name/m-p/658450#M111373 richgalloway 2023-09-22T20:01:42Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-Sourcetype-name/m-p/658454#M111374 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp; No luck!&nbsp; But I confirm there is no other files and settings.</P><P>Command used : index=vmware | stats count by sourcetype</P><P>Currently syslog is ingesting via universal forwarder.</P><P>Current configuration</P><P><STRONG>input.conf</STRONG><BR />[monitor:///opt/syslog/vmware/10.149.xx.xx/*-syslog.log]<BR />disabled = false<BR />host_segment = 4<BR />index = vmware-vclog<BR />sourcetype = vclog<BR />initCrcLength = 2048</P><P><STRONG>Props.conf</STRONG><BR />[source::/opt/syslog/vmware/10.149.xx.xx/*]<BR />TRANSFORMS-null= setnull</P><P>[vclog]<BR />LINE_BREAKER = ([\r\n]+)\&lt;\d+\&gt;\d<BR />SHOULD_LINEMERGE = false</P><P><STRONG>transforms.conf</STRONG><BR />[setnull]<BR />REGEX = ^\w+\W<BR />DESK_KEY = queue<BR />FORMAT = nullQueue</P> Fri, 22 Sep 2023 19:04:39 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-Sourcetype-name/m-p/658454#M111374 alexspunkshell 2023-09-22T19:04:39Z