https://community.splunk.com/t5/Getting-Data-In/Splunk-learned-app-should-stop-learning-too-small-dispatch/m-p/231051#M44971 <P>I defined a new input folder that receives <STRONG>gzipped</STRONG> server logs from a <STRONG>scp copy job</STRONG> on our servers.</P> <P>inputs.conf </P> <PRE><CODE>[monitor://F:\ssh_incoming\Logs] disabled = false recursive = false host_regex = pl\-([^_]+)_ index = plserver sourcetype = syslog </CODE></PRE> <P>The problem is that the props.conf of the learned app grows and grows until dispatching of new searches takes longer and longer until no searches start at all. (Inspect Job shows that <STRONG>dispatch.evaluate</STRONG> takes more than ten minutes to complete)</P> <P>/learned/local/props.conf</P> <PRE><CODE>[pl-www1_20160303053001_sudo-too_small] PREFIX_SOURCETYPE = True SHOULD_LINEMERGE = False is_valid = True maxDist = 9999 [pl-www1_20160303053001_system-too_small] PREFIX_SOURCETYPE = True SHOULD_LINEMERGE = False is_valid = True maxDist = 9999 [pl-www1_20160303060001_crond-too_small] PREFIX_SOURCETYPE = True SHOULD_LINEMERGE = False is_valid = True maxDist = 9999 [pl-www1_20160303060001_sshd-too_small] PREFIX_SOURCETYPE = True SHOULD_LINEMERGE = False is_valid = True maxDist = 9999 </CODE></PRE> <P>So as long as logs keep incoming in that folder, the props.conf grows and grows. I even disabled the "learned" App but that didn't solve the problem. The file keeps growing. </P> <P>I have also tried to set LEARN_SOURCETYPE to false in the props.conf definition for the "syslog" sourcetype. </P> <PRE><CODE>[syslog] CHARSET = latin-1 LEARN_SOURCETYPE = false </CODE></PRE> <P>I am using Splunk 6.2.2 with Enterprise License. </P> Thu, 03 Mar 2016 13:25:36 GMT FRoth 2016-03-03T13:25:36Z https://community.splunk.com/t5/Getting-Data-In/Splunk-learned-app-should-stop-learning-too-small-dispatch/m-p/231051#M44971 <P>I defined a new input folder that receives <STRONG>gzipped</STRONG> server logs from a <STRONG>scp copy job</STRONG> on our servers.</P> <P>inputs.conf </P> <PRE><CODE>[monitor://F:\ssh_incoming\Logs] disabled = false recursive = false host_regex = pl\-([^_]+)_ index = plserver sourcetype = syslog </CODE></PRE> <P>The problem is that the props.conf of the learned app grows and grows until dispatching of new searches takes longer and longer until no searches start at all. (Inspect Job shows that <STRONG>dispatch.evaluate</STRONG> takes more than ten minutes to complete)</P> <P>/learned/local/props.conf</P> <PRE><CODE>[pl-www1_20160303053001_sudo-too_small] PREFIX_SOURCETYPE = True SHOULD_LINEMERGE = False is_valid = True maxDist = 9999 [pl-www1_20160303053001_system-too_small] PREFIX_SOURCETYPE = True SHOULD_LINEMERGE = False is_valid = True maxDist = 9999 [pl-www1_20160303060001_crond-too_small] PREFIX_SOURCETYPE = True SHOULD_LINEMERGE = False is_valid = True maxDist = 9999 [pl-www1_20160303060001_sshd-too_small] PREFIX_SOURCETYPE = True SHOULD_LINEMERGE = False is_valid = True maxDist = 9999 </CODE></PRE> <P>So as long as logs keep incoming in that folder, the props.conf grows and grows. I even disabled the "learned" App but that didn't solve the problem. The file keeps growing. </P> <P>I have also tried to set LEARN_SOURCETYPE to false in the props.conf definition for the "syslog" sourcetype. </P> <PRE><CODE>[syslog] CHARSET = latin-1 LEARN_SOURCETYPE = false </CODE></PRE> <P>I am using Splunk 6.2.2 with Enterprise License. </P> Thu, 03 Mar 2016 13:25:36 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-learned-app-should-stop-learning-too-small-dispatch/m-p/231051#M44971 FRoth 2016-03-03T13:25:36Z https://community.splunk.com/t5/Getting-Data-In/Splunk-learned-app-should-stop-learning-too-small-dispatch/m-p/231052#M44972 <P>If you want to disable to learned app see this post:</P> <P><A href="https://answers.splunk.com/answers/77271/make-splunk-stop-learning-sourcetypes.html">https://answers.splunk.com/answers/77271/make-splunk-stop-learning-sourcetypes.html</A></P> <P>Here is the relevant part of the post:</P> <P>If you really would like to disable learning, edit $SPLUNK_HOME/etc/apps/learned/local/app.conf and make sure it says this:</P> <P>[install]<BR /> state = disabled</P> Mon, 28 Mar 2016 10:02:15 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-learned-app-should-stop-learning-too-small-dispatch/m-p/231052#M44972 ncsantucci 2016-03-28T10:02:15Z https://community.splunk.com/t5/Getting-Data-In/Splunk-learned-app-should-stop-learning-too-small-dispatch/m-p/231053#M44973 <P>If all the sourcetypes are marked as {{-too_small}}.</P> <P>For small files Splunk is unable to determine the type. This can be controlled by:</P> <P>{noformat:title=props.conf}<BR /> [too_small]<BR /> PREFIX_SOURCETYPE = false<BR /> {noformat}</P> <P>Could you please try to add a new entry in props.conf with below configuration and restart splunk:</P> <P>[too_small]<BR /> PREFIX_SOURCETYPE = false</P> <P>This above configuration will not grow the sourcetypes in learned app and .gz file will also read and forwarded by the splunk.</P> Tue, 29 Sep 2020 10:46:35 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-learned-app-should-stop-learning-too-small-dispatch/m-p/231053#M44973 risgupta_splunk 2020-09-29T10:46:35Z