topic Re: How do I change the sourcetype on my Splunk forwarder from "syslog" to "json_no_timestamp"? in Getting Data In

How do I change the sourcetype on my Splunk forwarder from "syslog" to "json_no_timestamp"?

prees — Tue, 08 Dec 2015 15:55:37 GMT

I am using a Splunk forwarder with a main Splunk server. The forwarder is listening on udp port 1514. And is sending logs to my Splunk server on port 9997.

Everything is working as far as I can tell. On the forwarder though, I want to change the sourcetype from syslog to json_no_timestamp. When I do this though, logs do not get sent through anymore.

In case it is relevant, I am running these all as docker containers. The syslogs that are coming in are being sent from docker containers, and the forwarder and main Splunk instance are separate containers.

I am not sure where the problem could be, any input would be greatly appreciated! It's possible the issue is with the container configuration or with Splunk itself? But it does all work when set to syslog so I am not sure.

I posted a trimmed down docker-compose file and and the Splunk logs and results from splunk cmd btool inputs list
https://gist.github.com/prees1/c26a305c4e012a395c78
There doesn't appear to be anything out of place in those files, from what I can tell.

Re: How do I change the sourcetype on my Splunk forwarder from "syslog" to "json_no_timestamp"?

javiergn — Tue, 29 Sep 2020 08:05:47 GMT

json_no_timestamp is a pre-trained sourcetype: http://docs.splunk.com/Documentation/Splunk/6.3.1511/Data/Listofpretrainedsourcetypes

I wonder if that's causing some unexpected side effects because I would expected a json sourcetype to be coming from a plain text file and not via UDP. Can you try to name it something else and see what happens?

Re: How do I change the sourcetype on my Splunk forwarder from "syslog" to "json_no_timestamp"?

prees — Tue, 08 Dec 2015 16:48:36 GMT

I should have mentioned that I have tried setting it to access_combined and _json, both of which worked. However my logs are not in that format, so ultimately it doesn't work.

Are certain sourcetypes only allowed for file vs network inputs?

Re: How do I change the sourcetype on my Splunk forwarder from "syslog" to "json_no_timestamp"?

javiergn — Tue, 29 Sep 2020 08:05:50 GMT

I'm not too familiar with the _json* sourcetypes but worst case scenario, name it something random in your forwarder and then rename this sourcetype to json_no_timestamp before indexing at Indexer level and see if that works.

Re: How do I change the sourcetype on my Splunk forwarder from "syslog" to "json_no_timestamp"?

prees — Tue, 08 Dec 2015 18:21:34 GMT

alright I will give that a try, thanks! As I am new to splunk, when you say 'rename' the source type, which config file would that be a part of? Is it related to transform or props? I am still getting up to speed on configuring splunk. Thanks again!

Re: How do I change the sourcetype on my Splunk forwarder from "syslog" to "json_no_timestamp"?

prees — Tue, 08 Dec 2015 18:44:20 GMT

That seems to have worked. I roughly followed how to rename it from this post here:

https://answers.splunk.com/answers/52198/change-sourcetype-index-after-data-is-indexed-from-forwarder.html

Thank you!

However it is not indexing or extracting my json properly but I think that is due to the prefix syslog being added to my logs now - unrelated separate issue.

Re: How do I change the sourcetype on my Splunk forwarder from "syslog" to "json_no_timestamp"?

ppablo — Tue, 08 Dec 2015 21:11:59 GMT

Hi @prees

Don't forget to accept @javiergn's answer to show this post as resolved and upvote the answer/comment that helped you.