https://community.splunk.com/t5/Getting-Data-In/Why-is-the-Sourcetype-Not-Showing-Up/m-p/221726#M43532 <P>So I noticed today for whatever reason that my graphs were not giving up to date information. I looked into the issue and it turns out that my source was no longer having the information pumped into it. It does catch everything even if the log file changes names because I have it set up with a wildcard.</P> <P>But what was even weirder is that the information was showing up in the Source, and some information was being sent to the sourcetype but not the information that would fill in my graphs.</P> <P>So the information is there and I can technically change the Sourcetype to the source to get my graphs, but I want to know why it did that. The only thing that I did yesterday to Splunk was set up an Alert that would send out one email to me when a certain number for a name value pair was reached on the system. The alert was actually pulling on that Sourcetype but I set up that Alert ~8 hrs before the information stopped showing up. It wasn't doing the alert real time either just every hour.</P> <P>I no longer have the alert either because I deleted it earlier this morning when I realized that it didn't do what I want, this was before I realized I had the problem a I do now.</P> Tue, 29 Aug 2023 16:12:31 GMT MollyDS 2023-08-29T16:12:31Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-Sourcetype-Not-Showing-Up/m-p/221726#M43532 <P>So I noticed today for whatever reason that my graphs were not giving up to date information. I looked into the issue and it turns out that my source was no longer having the information pumped into it. It does catch everything even if the log file changes names because I have it set up with a wildcard.</P> <P>But what was even weirder is that the information was showing up in the Source, and some information was being sent to the sourcetype but not the information that would fill in my graphs.</P> <P>So the information is there and I can technically change the Sourcetype to the source to get my graphs, but I want to know why it did that. The only thing that I did yesterday to Splunk was set up an Alert that would send out one email to me when a certain number for a name value pair was reached on the system. The alert was actually pulling on that Sourcetype but I set up that Alert ~8 hrs before the information stopped showing up. It wasn't doing the alert real time either just every hour.</P> <P>I no longer have the alert either because I deleted it earlier this morning when I realized that it didn't do what I want, this was before I realized I had the problem a I do now.</P> Tue, 29 Aug 2023 16:12:31 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-Sourcetype-Not-Showing-Up/m-p/221726#M43532 MollyDS 2023-08-29T16:12:31Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-Sourcetype-Not-Showing-Up/m-p/221727#M43533 <P>So you're saying that the events coming in no longer have the sourcetype you specified in the <CODE>inputs.conf</CODE>? </P> <P>First I would verify that this is generating log data. You should then verify your forwarder service is turned on. You should then look on your <CODE>inputs.conf</CODE> file on the forwarder and verify that you specified the sourcetype in there. If all these are good then I would try to restart your forwarder service by going into <CODE>/splunk/bin</CODE> and doing a <CODE>/splunk restart</CODE></P> <P>How many forwarders do you have with this specified sourcetype?</P> Wed, 10 Aug 2016 15:46:20 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-Sourcetype-Not-Showing-Up/m-p/221727#M43533 skoelpin 2016-08-10T15:46:20Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-Sourcetype-Not-Showing-Up/m-p/221728#M43534 <P>Just to add a bit here... you might have new outputs.conf settings that are sending the data to a different location now.</P> <P>I recommend using <CODE>./splunk cmd btool outputs list --debug</CODE> to verify your outputs if none of the above works.</P> Wed, 10 Aug 2016 15:52:39 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-Sourcetype-Not-Showing-Up/m-p/221728#M43534 jkat54 2016-08-10T15:52:39Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-Sourcetype-Not-Showing-Up/m-p/221729#M43535 <P>I suspect that your searches are not fully qualified with <CODE>index=</CODE> and <CODE>sourcetype=</CODE> everywhere. Because of this, you are wide open to your searches being qualified by <CODE>role</CODE> settings (e.g. <CODE>Indexes searched by default</CODE>). Try using <CODE>index=&lt;something&gt;</CODE> everywhere.</P> Fri, 12 Aug 2016 18:54:57 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-Sourcetype-Not-Showing-Up/m-p/221729#M43535 woodcock 2016-08-12T18:54:57Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-Sourcetype-Not-Showing-Up/m-p/655898#M111119 <P>i had similar issue.&nbsp; &nbsp;i created new index for my windows servers and define the sourcetype in inputs.conf and deploy the _TA_Windows apps search works fine but source type and source are interchanged.</P><P>any thoughts ?</P><P>&nbsp;</P> Mon, 28 Aug 2023 21:27:42 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-Sourcetype-Not-Showing-Up/m-p/655898#M111119 yr 2023-08-28T21:27:42Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-Sourcetype-Not-Showing-Up/m-p/655985#M111127 <P>Hi! Kara here, Splunk Community Manager. Thanks for your question, but I see this post is from 2016. I recommend you post a new question to gain more visibility and current answers.</P> <P>&nbsp;</P> <P>Cheers!</P> Tue, 29 Aug 2023 16:17:14 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-Sourcetype-Not-Showing-Up/m-p/655985#M111127 KaraD 2023-08-29T16:17:14Z