https://community.splunk.com/t5/Getting-Data-In/Several-small-log-files-sourcetype-local-too-small/m-p/307160#M57877 <P>Hi,</P> <P>I've got a problem with monitoring several log files generated by syslog-ng. There are 50+ switches. I am collecting their logs with a syslog-ng server, generating separate log files for every switch, every day. Some of them send only a few lines so that logs file is small.<BR /> I can collect all the logs, but I have got an issue with the sourcetype. All (most?) of the small log file has a local-too_small sourcetype instead of syslog, which I configured explicitly. Based on my research and testing, the auto sourcetype can cause this, but I already add the sourcetype. So what I am doing wrong, why the Splunk ignore it?</P> <P>inputs.conf:<BR /> [monitor:///var/log/remotelogs/*/log/]<BR /> host_segment = 8<BR /> index = default<BR /> sourcetype=syslog</P> <P>Regards,<BR /> István</P> Wed, 29 Nov 2017 13:47:31 GMT ikulcsar 2017-11-29T13:47:31Z https://community.splunk.com/t5/Getting-Data-In/Several-small-log-files-sourcetype-local-too-small/m-p/307160#M57877 <P>Hi,</P> <P>I've got a problem with monitoring several log files generated by syslog-ng. There are 50+ switches. I am collecting their logs with a syslog-ng server, generating separate log files for every switch, every day. Some of them send only a few lines so that logs file is small.<BR /> I can collect all the logs, but I have got an issue with the sourcetype. All (most?) of the small log file has a local-too_small sourcetype instead of syslog, which I configured explicitly. Based on my research and testing, the auto sourcetype can cause this, but I already add the sourcetype. So what I am doing wrong, why the Splunk ignore it?</P> <P>inputs.conf:<BR /> [monitor:///var/log/remotelogs/*/log/]<BR /> host_segment = 8<BR /> index = default<BR /> sourcetype=syslog</P> <P>Regards,<BR /> István</P> Wed, 29 Nov 2017 13:47:31 GMT https://community.splunk.com/t5/Getting-Data-In/Several-small-log-files-sourcetype-local-too-small/m-p/307160#M57877 ikulcsar 2017-11-29T13:47:31Z https://community.splunk.com/t5/Getting-Data-In/Several-small-log-files-sourcetype-local-too-small/m-p/307161#M57878 <P>Hi @ikulcsar,</P> <P>Can you please check your inputs.conf configuration using btool <CODE>$SPLUNK_HOME/bin/splunk cmd btool inputs --debug list</CODE> and check whether <CODE>sourcetype=syslog</CODE> is assigned to your monitor stanza or not? If it is assigned then can you please try to restart splunkforwarder ?</P> Wed, 29 Nov 2017 14:03:49 GMT https://community.splunk.com/t5/Getting-Data-In/Several-small-log-files-sourcetype-local-too-small/m-p/307161#M57878 harsmarvania57 2017-11-29T14:03:49Z https://community.splunk.com/t5/Getting-Data-In/Several-small-log-files-sourcetype-local-too-small/m-p/307162#M57879 <P>Hi, <BR /> Thank you for your comment. Here is the output. I modified the monitor definition to be more specific, restart the full server, too. But no change.</P> <P>/opt/splunk/etc/system/local/inputs.conf [monitor:///var/log/remotelogs/<EM>/log/</EM>/<EM>/</EM>]<BR /> /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864<BR /> /opt/splunk/etc/system/local/inputs.conf host = shadow<BR /> /opt/splunk/etc/system/local/inputs.conf host_segment = 8<BR /> /opt/splunk/etc/system/local/inputs.conf index = default<BR /> /opt/splunk/etc/system/local/inputs.conf sourcetype = syslog</P> <P>Any other idea?</P> <P>Regards,<BR /> István</P> Tue, 29 Sep 2020 16:58:42 GMT https://community.splunk.com/t5/Getting-Data-In/Several-small-log-files-sourcetype-local-too-small/m-p/307162#M57879 ikulcsar 2020-09-29T16:58:42Z https://community.splunk.com/t5/Getting-Data-In/Several-small-log-files-sourcetype-local-too-small/m-p/307163#M57880 <P>Hi, </P> <P>Finally, I reinstall it from the scratch with Splunk Ent. 7.0, reconfigure the inputs and it works... I can not explain and unfortunately cannot reproduce that behavior... </P> <P>Thank you for your kind help.<BR /> Regards,<BR /> István</P> Sat, 02 Dec 2017 09:21:50 GMT https://community.splunk.com/t5/Getting-Data-In/Several-small-log-files-sourcetype-local-too-small/m-p/307163#M57880 ikulcsar 2017-12-02T09:21:50Z https://community.splunk.com/t5/Getting-Data-In/Several-small-log-files-sourcetype-local-too-small/m-p/307164#M57881 <P>Hi, </P> <P>Finally, I reinstall it from the scratch with Splunk Ent. 7.0, reconfigure the inputs and it works... I can not explain and unfortunately cannot reproduce that behavior... </P> <P>Thank you for your kind help.<BR /> Regards,<BR /> István</P> Sat, 02 Dec 2017 09:21:50 GMT https://community.splunk.com/t5/Getting-Data-In/Several-small-log-files-sourcetype-local-too-small/m-p/307164#M57881 ikulcsar 2017-12-02T09:21:50Z