topic Re: remove source type in Getting Data In

remove source type

idekuld — Wed, 18 Apr 2012 06:45:22 GMT

How is this possible?

./splunk help commands

This page shows you the syntax and summary of the Splunk CLI commands.

Splunk CLI command syntax:

./splunk [command] [object] [-parameter <value>]...

* Some commands don't require an object or parameters.
* Some commands have a default parameter that can be specified by its
  value alone.

Commands and objects:

* A command is an action that you can perform.
* An object is something you perform an action on.

Supported commands and objects:

    [command]           [objects]

    add                 [exec|forward-server|index|licenser-pools|licenses|monitor|oneshot|
                        saved-search|search-server|tcp|udp|user]

    anonymize           source

    clean               [all|eventdata|globaldata|userdata]

    create              app

    diag                NONE

    disable             [app|boot-start|deploy-client|deploy-server|discoverable|
                        dist-search|index|listen|local-index|webserver|web-ssl]

    display             [app|boot-start|deploy-client|deploy-server|discoverable|
                        dist-search|index|jobs|listen|local-index]

    edit                [app|exec|forward-server|index|licenser-localslave|licenses|
                        licenser-groups|
                        monitor|saved-search|search-server|tcp|udp|user]

    enable              [app|deploy-client|deploy-server|discoverable|dist-search|
                        index|listen|local-index|boot-start|webserver|web-ssl]

    export,import       [eventdata|userdata]

    find                logs

    help                NONE

    list                [deploy-clients|exec|forward-server|index|licenser-groups|
                        licenser-localslave|licenser-messages|licenser-pools|licenser-slaves|
                        licenser-stacks|licenses|jobs|monitor|saved-search|search-server|
                        source|sourcetype|tcp|udp|user]

    login,logout        NONE

    package             app

    refresh             deploy-clients

    reload              [auth|deploy-server]

    remove              [app|exec|forward-server|jobs|licenser-pools|licenses|monitor|
                        saved-search|search-server|source|sourcetype|tcp|udp|user]

    search              NONE

    set                 [datastore-dir|deploy-poll|default-hostname|default-index|
                        minfreemb|servername|server-type|splunkd-port|web-port]

    show                [config|datastore-dir|deploy-poll|default-hostname|default-index|
                        jobs|minfreemb|servername|splunkd-port|web-port]

    spool               NONE

    start,stop,restart  [monitor|splunkd|splunkweb]

    status              [monitor|splunkd|splunkweb]

Syntax:

    None

Objects:

    None

Required Parameters:

    None

Optional Parameters:

    None

Examples:

    None

Type "help [command]" to get help with parameters for a specific command.

Complete documentation is available online at: http://docs.splunk.com/Documentation

root@sphs1i-fileaudit01:/opt/splunk/bin# ./splunk remove sourcetype audit.log

Command error: The subcommand 'sourcetype' is not valid for command 'remove'.
root@sphs1i-fileaudit01:/opt/splunk/bin# ./splunk remove sourcetype

Command error: The subcommand 'sourcetype' is not valid for command 'remove'.

Re: remove source type

Ayn — Wed, 18 Apr 2012 07:19:09 GMT

What do you mean by removing a sourcetype? A sourcetype is not something that exists by itself, rather it is a property that is assigned to events in the index.

Re: remove source type

idekuld — Wed, 18 Apr 2012 07:26:29 GMT

when i add data to Splunk then i can set a "source type"(new source type and apply an existing source type). After i created a lot of source type, i want to delete them because there are too many.

Re: remove source type

Ayn — Wed, 18 Apr 2012 07:56:41 GMT

You need to delete the events carrying those sourcetypes in that case. Check out the delete operator: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete

Re: remove source type

idekuld — Wed, 18 Apr 2012 08:22:19 GMT

i try:

index=audit.log | delete

0 line deleted.

Okay maybe this error is comming from another problem:

i cant add to monitor and index a directory, for example /var/log/
i add /var/log/samba/audit.log file to the data inputs. But it looks like the file is added but when i try to search i found nothing. Just when the file is not added to the data inputs and no index is generated.

Re: remove source type

Ayn — Wed, 18 Apr 2012 08:24:06 GMT

index=audit.log? I think you're confusing terms here. Before you start deleting stuff, you really need to understand the concept of indexes, sources, sourcetypes etc.

Re: remove source type

idekuld — Wed, 18 Apr 2012 09:29:18 GMT

ok.

I try to "add data" on the splunk web management page the /var/log/samba/audit.log file what is created by syslog to monitor. I added the file and nothing happend. i cant search in the file.

Then i try to add a directory with the add data, on the web page. But I cant add any directory. Yes great feature.........

You cant add a directory on the wb site, you can add it on th CLI. .... awesome....

And the last other great feature, when the audit.log is in the /var/log/samba/ directory then splunk dont care this file, you must place this file to /var/log/.

What do you think about this?

Re: remove source type

MHibbin — Wed, 18 Apr 2012 09:37:59 GMT

As Ayn said, I think you have misunderstood a few basic concepts here.

In response to the statement:

"Then i try to add a directory with the add data, on the web page. But I cant add any directory. Yes great feature........."

You are probably using the "preview" feature, this is new to Splunk as of 4.3, and yes it does only let you preview files, as directories can have many files, with many different formats... this feautre is more of an educational tool to help you understand linebreaking/timestamp recognition etc. You can "monitors" in directories if you use the old method...

Re: remove source type

MHibbin — Wed, 18 Apr 2012 09:41:40 GMT

(i.e. by using the "Skip preview" option!).

You don't need to place files in /var/log/ for them to be monitored. As long as the user running Splunk (i.e. root) has "read" permissions on the file, Splunk can read it.

I think you should read the docs, before jumping in head first, and the start again fresh....

http://docs.splunk.com/Documentation/Splunk/latest/User/AboutthisUserManual

Re: remove source type

MHibbin — Wed, 18 Apr 2012 09:43:16 GMT

And... yes... The preview feature, is a good feature (no sarcasm)... as it helps new users understand how to correctly input different types of files.

Re: remove source type

idekuld — Wed, 18 Apr 2012 10:47:58 GMT

"The preview feature, is a good feature" this will be a good feature when you solve the problem that the user not get what he except. (better documentation, teaching video, or something)

Im new with splunk. Now it looks that what you get as web gui to configure is useless. I added the /var/log/samba/audit.log so many times. In the preview i see that everything is fine, but when is want to search in this file i get 0 result.

After i run the command: /splunk add monitor /var/log/ i was to able to search in the log files. But /var/log/samba/audit.log was not in the list of files that can be searched. I must move this file to /var/log/audit.log, only after this was i able to find something in this file.

Re: remove source type

fbl_itcs — Thu, 27 Sep 2012 11:24:59 GMT

Maybe the user that is running splunk doesn't have the correct right for the /var/log/samba directory?

You're not giving us a lot of information, that's why nobody is helping.

Re: remove source type

cyphertek — Mon, 28 Sep 2020 14:20:09 GMT

My company recently rolled out Splunk for our Citrix XenApp 6.5 environment (>900 2008 R2 servers). So I'm running Splunk at home on my personal Debian server to get more exposure to this app...love it btw, keep up the good work.

However, I have this question too on my personal Splunk 5.0.1, build 143156 Debian box...

"...After i created a lot of source type, i want to delete them because there are too many."

Maybe the title of this question could more specifically read "remove (user created) sourcetype" as this is what I'm after as well.

"You need to delete the events carrying those sourcetypes in that case."

This seems to be the way I've seen this question answered in other posts too (I'm done searching/reading, it's time to post), but this doesn't delete the sourcetype in the dropdown box chosen when creating an input file.

Specifically, what is being asked is how are user created sourcetypes deleted/removed from the Set Source Type popup box seen by doing the following: Manager » Data inputs » Files & directories » Data preview > Set Source Type popup box.

So far, I understand the steps to be...

verify your ID has the "delete_by_keyword" capability in Manager » Access controls » Roles » yourID
run sourcetype=User_Created_Foo | Delete in Splunk » Search to remove entries that have have the User_Created_Foo sourcetype
?

Dear Splunk Ninja, please answer what task needs to be done to delete the User_Created_Foo indextype from the Set Source Type popup box in step 3.

Thank you very much!

Re: remove source type

fbl_itcs — Sat, 13 Jul 2013 18:43:29 GMT

Just a guess:

Are those sourcetypes you want to delete mentioned in any props.conf/transforms.conf because you configured special treatment there? Take a look and delete any appearance of the sourcetypes in those files.

Re: remove source type

cyphertek — Sat, 13 Jul 2013 19:54:01 GMT

fbl_itcs,

Thank you, that is the answer.

Re: remove source type

jhlopez — Wed, 03 Dec 2014 07:13:27 GMT

Hi,

All the created sourcetype was configured in "props.conf" file under "/etc/system/local". To reuse the sourcetype you previously use, you must delete its configuration first.

Hope this helps!!