https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397439#M70852 <P>There are number of sourcetypes that are present in _internal index [ all of them related core splunk]. Which sourcetype has changed and what's the change?</P> Tue, 26 Feb 2019 09:26:55 GMT lakshman239 2019-02-26T09:26:55Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397437#M70850 <P>Some how the _internal index changed its sourcetype. How does one go about changing it back? I am not to worried about the data that has already been indexed, but I need to make sure any new data is under the correct sourcetype.</P> Mon, 25 Feb 2019 20:15:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397437#M70850 wralph_EPACN 2019-02-25T20:15:42Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397438#M70851 <P>What do you mean by the index changing its sourcetype?</P> Tue, 26 Feb 2019 08:21:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397438#M70851 FrankVl 2019-02-26T08:21:14Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397439#M70852 <P>There are number of sourcetypes that are present in _internal index [ all of them related core splunk]. Which sourcetype has changed and what's the change?</P> Tue, 26 Feb 2019 09:26:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397439#M70852 lakshman239 2019-02-26T09:26:55Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397440#M70853 <P>Nothing has changed. Internal index contains several sourcetypes, and you just need to search for the one you're looking for</P> Tue, 26 Feb 2019 10:56:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397440#M70853 tiagofbmm 2019-02-26T10:56:53Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397441#M70854 <P>This is part of the search I am doing, <STRONG>index=_internal source=<EM>license_usage.log type="Usage" splunk_server=</EM> earliest=-7d@d latest=@d</STRONG>. Some how the source type changed from splunkd to cisco:ios and I am wondering how this happened and how to change it back. As this report runs once a week I did not catch it till this past run where it failed to produce anything.</P> <P>So the question could possibly be stated, how do i change the the licence_usage.log, and whatever else that uses splunkd as a sourcetype back to its default?</P> Tue, 29 Sep 2020 23:26:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397441#M70854 wralph_EPACN 2020-09-29T23:26:06Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397442#M70855 <P>Run <CODE>/opt/splunk/bin/splunk btool inputs list --debug | grep /var/log/splunk/ -B 10 -A 10</CODE></P> <P>Check if these inputs are having a sourcetype different than normal being assigned.</P> Tue, 26 Feb 2019 13:56:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397442#M70855 tiagofbmm 2019-02-26T13:56:35Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397443#M70856 <P>Given the sourcetype assigned, check the add-on related to cisco:ios and check for any faulty sourcetype overrides there.</P> <P>Or in general, do a: <CODE>/opt/splunk/bin/splunk btool props list --debug | grep "cisco:ios" -B 10 -A 10</CODE> and <CODE>/opt/splunk/bin/splunk btool transforms list --debug | grep "cisco:ios" -B 10 -A 10</CODE> to find any props or transforms related to setting that sourcetype.</P> Tue, 26 Feb 2019 14:03:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397443#M70856 FrankVl 2019-02-26T14:03:38Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397444#M70857 <P>I checked this against my prod environment and it besides for the host name everything was the same.</P> Tue, 26 Feb 2019 14:44:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397444#M70857 wralph_EPACN 2019-02-26T14:44:07Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397445#M70858 <P>both look fine to me, but this is the first time i am trying to debug an app so...<BR /> the first command i get:<BR /> <EM>/opt/splunk/etc/system/default/props.conf SHOULD_LINEMERGE = false<BR /> /opt/splunk/etc/system/default/props.conf TRANSFORMS =<BR /> /opt/splunk/etc/system/default/props.conf TRUNCATE = 10000<BR /> /opt/splunk/etc/system/default/props.conf category = Network &amp; Security<BR /> /opt/splunk/etc/system/default/props.conf description = Output produced by the Cisco Adaptive Security Appliance (ASA) Firewall<BR /> /opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false<BR /> /opt/splunk/etc/system/default/props.conf maxDist = 100<BR /> /opt/splunk/etc/system/default/props.conf priority =<BR /> /opt/splunk/etc/system/default/props.conf pulldown_type = 1<BR /> /opt/splunk/etc/system/default/props.conf sourcetype =<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/props.conf [cisco:ios]<BR /> /opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True<BR /> /opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True<BR /> /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true<BR /> /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE =<BR /> /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True<BR /> /opt/splunk/etc/system/default/props.conf CHARSET = UTF-8<BR /> /opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml<BR /> /opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/props.conf EVAL-app = "cisco:ios"<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/props.conf EVAL-authenticator = coalesce(authenticator, case(facility == "PEM" AND mnemonic == "WEBAUTHFAIL", "webauth", facility == "DOT1X", "dot1x"))<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/props.conf EVAL-bytes = bytes_in + bytes_out<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/props.conf EVAL-dest_mac = case(dest_mac == "Unknown MAC", NULL, isnotnull(dest_mac), lower(replace(dest_mac,"^([0-9a-fA-F]{2})([0-9a-fA-F]{2}).([0-9a-fA-F]{2})([0-9a-fA-F]{2}).([0-9a-fA-F]{2})([0-9a-fA-F]{2})","\1:\2:\3:\4:\5:\6")))<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/props.conf EVAL-dvc = coalesce(dvc, host)<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/props.conf EVAL-product = case(isnotnull(filename) AND isnotnull(filename_line), "WLC", isnotnull(direct_ap_mac), "AP", isnull(filename) AND isnull(filename_line) AND isnull(direct_ap_mac), "IOS")<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/props.conf EVAL-reliable_time = if(reliable_time == "</EM>", "false", "true")<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/props.conf EVAL-src_int = replace(src_int, "(\S+)\s(\d+)", "\1\2")<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/props.conf EVAL-src_mac = case(src_mac == "Unknown MAC", NULL, isnotnull(src_mac), lower(replace(src_mac,"^([0-9a-fA-F]{2})([0-9a-fA-F]{2}).([0-9a-fA-F]{2})([0-9a-fA-F]{2}).([0-9a-fA-F]{2})([0-9a-fA-F]{2})","\1:\2:\3:\4:\5:\6")))<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/props.conf EVAL-vendor = "Cisco"<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/props.conf EXTRACT-cisco-ios-BGP-3-IO_INIT = IO_INIT(\s)?:\s+Initialization failed: (?Failed accepting a replicated session) unable to find\s+nbr\s+*?(?\S+)*</P> <P>and for the second:<BR /> <EM>/opt/splunk/etc/system/default/transforms.conf MV_ADD = False<BR /> /opt/splunk/etc/apps/Splunk_SA_CIM/default/transforms.conf REGEX = ^.</EM><A href="https://community.splunk.com/.+" target="_blank">\/</A><EM>mod(?:alert|workflow).log$<BR /> /opt/splunk/etc/apps/Splunk_SA_CIM/default/transforms.conf SOURCE_KEY = MetaData:Source<BR /> /opt/splunk/etc/system/default/transforms.conf WRITE_META = False<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf [force_sourcetype_cisco_traceback]<BR /> /opt/splunk/etc/system/default/transforms.conf CAN_OPTIMIZE = True<BR /> /opt/splunk/etc/system/default/transforms.conf CLEAN_KEYS = True<BR /> /opt/splunk/etc/system/default/transforms.conf DEFAULT_VALUE =<BR /> /opt/splunk/etc/system/default/transforms.conf DEPTH_LIMIT = 1000<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf DEST_KEY = MetaData:Sourcetype<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf FORMAT = sourcetype::cisco:ios:traceback<BR /> /opt/splunk/etc/system/default/transforms.conf KEEP_EMPTY_VALS = False<BR /> /opt/splunk/etc/system/default/transforms.conf LOOKAHEAD = 4096<BR /> /opt/splunk/etc/system/default/transforms.conf MATCH_LIMIT = 100000<BR /> /opt/splunk/etc/system/default/transforms.conf MV_ADD = False<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf REGEX = -Traceback=<BR /> /opt/splunk/etc/system/default/transforms.conf SOURCE_KEY = _raw<BR /> /opt/splunk/etc/system/default/transforms.conf WRITE_META = False<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf [force_sourcetype_for_cisco_ios]<BR /> /opt/splunk/etc/system/default/transforms.conf CAN_OPTIMIZE = True<BR /> /opt/splunk/etc/system/default/transforms.conf CLEAN_KEYS = True<BR /> /opt/splunk/etc/system/default/transforms.conf DEFAULT_VALUE =<BR /> /opt/splunk/etc/system/default/transforms.conf DEPTH_LIMIT = 1000<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf DEST_KEY = MetaData:Sourcetype<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf FORMAT = sourcetype::cisco:ios<BR /> /opt/splunk/etc/system/default/transforms.conf KEEP_EMPTY_VALS = False<BR /> /opt/splunk/etc/system/default/transforms.conf LOOKAHEAD = 4096<BR /> /opt/splunk/etc/system/default/transforms.conf MATCH_LIMIT = 100000<BR /> /opt/splunk/etc/system/default/transforms.conf MV_ADD = False<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf REGEX = (?:(?:\S+)\s)?(?:(?:\d+)?:\s(?:.\S+:\s)?(?:[.*])?(?:.+)?)?:\s+(?:%|#)(?:(?!POLICY_ENGINE|UCSM|FWSM|ASA|PIX|ACE)[A-Z0-9</EM>]+)-(?:(?:[A-Z012_]<EM>(?:-?[A-Z_][^-]</EM>))-?)?(?:[0-7])-(?:[A-Z0-9_]+):(?:(?:[A-Za-z0-9_]+):)?\s(?:.+)<BR /> /opt/splunk/etc/system/default/transforms.conf SOURCE_KEY = <EM>raw<BR /> /opt/splunk/etc/system/default/transforms.conf WRITE_META = False<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf [force_sourcetype_for_cisco_ios-rfc5424]<BR /> /opt/splunk/etc/system/default/transforms.conf CAN_OPTIMIZE = True<BR /> /opt/splunk/etc/system/default/transforms.conf CLEAN_KEYS = True<BR /> /opt/splunk/etc/system/default/transforms.conf DEFAULT_VALUE =<BR /> /opt/splunk/etc/system/default/transforms.conf DEPTH_LIMIT = 1000<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf DEST_KEY = MetaData:Sourcetype<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf FORMAT = sourcetype::cisco:ios<BR /> /opt/splunk/etc/system/default/transforms.conf KEEP_EMPTY_VALS = False<BR /> /opt/splunk/etc/system/default/transforms.conf LOOKAHEAD = 4096<BR /> /opt/splunk/etc/system/default/transforms.conf MATCH_LIMIT = 100000<BR /> /opt/splunk/etc/system/default/transforms.conf MV_ADD = False<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf REGEX = (?:&lt;(?:\d+)&gt;)(?:\d+) (?:\S+) (?:\S+)? (?:\d+)\s+(?:\S+)\s+(?:\S+)(?:.+)?:\s+(?:%|#)(?:(?!POLICY_ENGINE|UCSM|FWSM|ASA|PIX|ACE)[A-Z0-9</EM>]+)-(?:(?:[A-Z0-2_]<EM>(?:-?[A-Z_][^-]</EM>))-?)?(?:[0-7])-(?:[A-Z0-9_]+):\s(?:.+)<BR /> /opt/splunk/etc/system/default/transforms.conf SOURCE_KEY = <EM>raw<BR /> /opt/splunk/etc/system/default/transforms.conf WRITE_META = False<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf [force_sourcetype_for_cisco_ios-xe]<BR /> /opt/splunk/etc/system/default/transforms.conf CAN_OPTIMIZE = True<BR /> /opt/splunk/etc/system/default/transforms.conf CLEAN_KEYS = True<BR /> /opt/splunk/etc/system/default/transforms.conf DEFAULT_VALUE =<BR /> /opt/splunk/etc/system/default/transforms.conf DEPTH_LIMIT = 1000<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf DEST_KEY = MetaData:Sourcetype<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf FORMAT = sourcetype::cisco:ios<BR /> /opt/splunk/etc/system/default/transforms.conf KEEP_EMPTY_VALS = False<BR /> /opt/splunk/etc/system/default/transforms.conf LOOKAHEAD = 4096<BR /> /opt/splunk/etc/system/default/transforms.conf MATCH_LIMIT = 100000<BR /> /opt/splunk/etc/system/default/transforms.conf MV_ADD = False<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf REGEX = (?:(?:\S+)\s)?(?:(?:\d+)?:\s(?:.\S+:\s)?(?:[.*])?(?:.+)?)?:\s+(?:%|#)(?:(?!POLICY_ENGINE|UCSM|FWSM|ASA|PIX|ACE)[A-Z0-9</EM>]+)-(?:(?:[A-Z012_]<EM>(?:-?[A-Z_][^-]</EM>))-?)?(?:[0-7])-(?:[A-Z0-9_]+):(?:(?:[A-Za-z0-9_]+):)?\s(?:.+)<BR /> /opt/splunk/etc/system/default/transforms.conf SOURCE_KEY = <EM>raw<BR /> /opt/splunk/etc/system/default/transforms.conf WRITE_META = False<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf [force_sourcetype_for_cisco_ios-xr]<BR /> /opt/splunk/etc/system/default/transforms.conf CAN_OPTIMIZE = True<BR /> /opt/splunk/etc/system/default/transforms.conf CLEAN_KEYS = True<BR /> /opt/splunk/etc/system/default/transforms.conf DEFAULT_VALUE =<BR /> /opt/splunk/etc/system/default/transforms.conf DEPTH_LIMIT = 1000<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf DEST_KEY = MetaData:Sourcetype<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf FORMAT = sourcetype::cisco:ios<BR /> /opt/splunk/etc/system/default/transforms.conf KEEP_EMPTY_VALS = False<BR /> /opt/splunk/etc/system/default/transforms.conf LOOKAHEAD = 4096<BR /> /opt/splunk/etc/system/default/transforms.conf MATCH_LIMIT = 100000<BR /> /opt/splunk/etc/system/default/transforms.conf MV_ADD = False<BR /> /opt/splunk/etc/apps/TA-cisco_ios/default/transforms.conf REGEX = (?:(?:\S+)\s)?(?:\d+):\s(?:(?:\S+)\s)?(?:(?:[A-Z]+)\/(?:\d+)\/(?:[A-Z0-9]+)\/(?:[A-Z0-9]+)):(?:.+)\s?:\s?(?:[A-Za-z0-9</EM>]+)[(?:\d+)]:\s+%(?:[A-Za-z0-9_]+)-(?:[A-Za-z0-9_]+)-(?:(?:[A-Za-z12_]<EM>(?:-?[A-Za-z_][^-]</EM>))-?)?(?:[0-7])-(?:[A-Z0-9_]+)\s:\s(?:.+)<BR /> /opt/splunk/etc/system/default/transforms.conf SOURCE_KEY = _raw<BR /> /opt/splunk/etc/system/default/transforms.conf WRITE_META = False<BR /> /opt/splunk/etc/apps/Splunk_TA_nix/default/transforms.conf [fs_notification_change_type_lookup]<BR /> /opt/splunk/etc/system/default/transforms.conf CAN_OPTIMIZE = True<BR /> /opt/splunk/etc/system/default/transforms.conf CLEAN_KEYS = True*</P> Tue, 29 Sep 2020 23:21:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397445#M70858 wralph_EPACN 2020-09-29T23:21:15Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397446#M70859 <P>Ok, so there are four transforms that set that sourcetype:</P> <PRE><CODE>force_sourcetype_for_cisco_ios force_sourcetype_for_cisco_ios-rfc5424 force_sourcetype_for_cisco_ios-xe force_sourcetype_for_cisco_ios-xr </CODE></PRE> <P>You'll need to check how these transforms are triggered from props.conf, to see if any of that could accidentally apply to internal logs.</P> Wed, 27 Feb 2019 08:34:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397446#M70859 FrankVl 2019-02-27T08:34:56Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397447#M70860 <P>@wralph_EPACN please accept an answer if it solved/helped it and upvote it. Otherwise let us know how can we help further</P> Fri, 01 Mar 2019 11:07:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-change-internal-index-sourcetype/m-p/397447#M70860 tiagofbmm 2019-03-01T11:07:52Z