<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Sourcetype not showing up properly. in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Sourcetype-not-showing-up-properly/m-p/33488#M5993</link>
    <description>&lt;P&gt;Hi jrodman,&lt;/P&gt;

&lt;P&gt;I'm sorry but I didn't understand a word from your answer in regards to the problem. Why is this -2 showing up at the sourcetype and how do we get rid of it??? What has the extraction of fields to do with the fact that a sourcetype is being doubled??? I have the same phenomenon. I have cleared one index and reinstalled splunk on one of the clients and let it index again. And I have also the sourcetype with this -2 appended. Could you explain this in simplest words?? And how to get rid of it?&lt;/P&gt;

&lt;P&gt;Regards&lt;/P&gt;</description>
    <pubDate>Tue, 01 Feb 2011 18:14:37 GMT</pubDate>
    <dc:creator>tzhmaba2</dc:creator>
    <dc:date>2011-02-01T18:14:37Z</dc:date>
    <item>
      <title>Sourcetype not showing up properly.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Sourcetype-not-showing-up-properly/m-p/33486#M5991</link>
      <description>&lt;P&gt;I cleaned up some of the inputs on a Cisco ACS server to remove some commands that are no longer supported in 4.1.  After making the modification to the various sources in inputs.conf, when I search on those sources, the sourcetype has a "-2" appended to it.  So, TACACS_Failed_Attempts is showing up as TACACS_Failed_Attempts-2.  This is throwing off all of my transforms because the sourcetype doesn't match.  Why is Splunk doing this and what do I have to do to make it recognize the proper sourcetype?&lt;/P&gt;

&lt;P&gt;[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\Failed Attempts\Failed Attempts active.csv]
disabled = false
host = semvacs01
index = default
sourcetype = TACACS_Failed_Attempts&lt;/P&gt;

&lt;P&gt;[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\Passed Authentications\Passed Authentications active.csv]
disabled = false
host = semvacs01
index = default
sourcetype = TACACS_Passed_Authentications&lt;/P&gt;

&lt;P&gt;[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\TACACS+ Accounting\TACACS+ Accounting active.csv]
disabled = false
host = semvacs01
index = default
sourcetype = TACACS_Accounting&lt;/P&gt;

&lt;P&gt;[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\TACACS+ Administration\Tacacs+ Administration active.csv]
disabled = false
host = semvacs01
index = default
sourcetype = TACACS_Admin&lt;/P&gt;

&lt;P&gt;[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\AdminAudit\Administration Audit active.csv]
disabled = false
host = semvacs01
index = default
sourcetype = ACS_Admin_Audit&lt;/P&gt;

&lt;P&gt;Thanks.&lt;/P&gt;

&lt;P&gt;Craig&lt;/P&gt;</description>
      <pubDate>Thu, 27 Jan 2011 04:47:35 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Sourcetype-not-showing-up-properly/m-p/33486#M5991</guid>
      <dc:creator>jambajuice</dc:creator>
      <dc:date>2011-01-27T04:47:35Z</dc:date>
    </item>
    <item>
      <title>Re: Sourcetype not showing up properly.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Sourcetype-not-showing-up-properly/m-p/33487#M5992</link>
      <description>&lt;P&gt;What were you upgrading from?&lt;/P&gt;

&lt;P&gt;I thought the -2 artifact arrived in 4.0, but it might have been new with 4.1.&lt;/P&gt;

&lt;P&gt;This is an artifact of CHECK_FOR_HEADER, which is sort of always on for csv files, even if they are given another sourcetype, at least with older versions of 4.1.&lt;/P&gt;

&lt;P&gt;I'll have to refer to the specific bug, but i thought this would not happen for explicit sourcetype in 4.1.6.  Do you expect to be able to get fields that are labelled by the headers of these files?  If so you might need this code enabled, and perhaps sourcetype aliasing is the best solution.&lt;/P&gt;</description>
      <pubDate>Thu, 27 Jan 2011 14:23:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Sourcetype-not-showing-up-properly/m-p/33487#M5992</guid>
      <dc:creator>jrodman</dc:creator>
      <dc:date>2011-01-27T14:23:15Z</dc:date>
    </item>
    <item>
      <title>Re: Sourcetype not showing up properly.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Sourcetype-not-showing-up-properly/m-p/33488#M5993</link>
      <description>&lt;P&gt;Hi jrodman,&lt;/P&gt;

&lt;P&gt;I'm sorry but I didn't understand a word from your answer in regards to the problem. Why is this -2 showing up at the sourcetype and how do we get rid of it??? What has the extraction of fields to do with the fact that a sourcetype is being doubled??? I have the same phenomenon. I have cleared one index and reinstalled splunk on one of the clients and let it index again. And I have also the sourcetype with this -2 appended. Could you explain this in simplest words?? And how to get rid of it?&lt;/P&gt;

&lt;P&gt;Regards&lt;/P&gt;</description>
      <pubDate>Tue, 01 Feb 2011 18:14:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Sourcetype-not-showing-up-properly/m-p/33488#M5993</guid>
      <dc:creator>tzhmaba2</dc:creator>
      <dc:date>2011-02-01T18:14:37Z</dc:date>
    </item>
  </channel>
</rss>

