<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Make Splunk stop learning sourcetypes! in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Make-Splunk-stop-learning-sourcetypes/m-p/43846#M8197</link>
    <description>&lt;P&gt;Hi&lt;/P&gt;

&lt;P&gt;In this setup, we have servers for each universal-forwarder -&amp;gt; forwarder -&amp;gt; indexer -&amp;gt; searchhead.&lt;/P&gt;

&lt;P&gt;I am testing adding Linux logs (/var/log) to Splunk, but I wont pollute the splunk indexer with -any- learned sourcetypes. If Splunk can't figure out the sourcetype based on its rules, the sourcetype should be set to 'linux_logs_unknown'.&lt;/P&gt;

&lt;P&gt;We have managed to get rid of all the XXX-too_small entries by putting this in the props.conf on the universal forwarders:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[too_small]
PREFIX_SOURCETYPE = False
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;But I am still getting sourcetypes of eg, smbd-5 for source=/var/log/samba/smbd.log.&lt;BR /&gt;
And sourcetype=wb-DOMAIN.log for source=/var/log/samba/wb-DOMAIN.log.&lt;/P&gt;

&lt;P&gt;Note that this problem is not only for samba, its for everything under /var/log.&lt;/P&gt;

&lt;P&gt;I am still somewhat new to Splunk, so please give examples &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;</description>
    <pubDate>Mon, 28 Sep 2020 13:23:42 GMT</pubDate>
    <dc:creator>lsolberg</dc:creator>
    <dc:date>2020-09-28T13:23:42Z</dc:date>
    <item>
      <title>Make Splunk stop learning sourcetypes!</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Make-Splunk-stop-learning-sourcetypes/m-p/43846#M8197</link>
      <description>&lt;P&gt;Hi&lt;/P&gt;

&lt;P&gt;In this setup, we have servers for each universal-forwarder -&amp;gt; forwarder -&amp;gt; indexer -&amp;gt; searchhead.&lt;/P&gt;

&lt;P&gt;I am testing adding Linux logs (/var/log) to Splunk, but I wont pollute the splunk indexer with -any- learned sourcetypes. If Splunk can't figure out the sourcetype based on its rules, the sourcetype should be set to 'linux_logs_unknown'.&lt;/P&gt;

&lt;P&gt;We have managed to get rid of all the XXX-too_small entries by putting this in the props.conf on the universal forwarders:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[too_small]
PREFIX_SOURCETYPE = False
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;But I am still getting sourcetypes of eg, smbd-5 for source=/var/log/samba/smbd.log.&lt;BR /&gt;
And sourcetype=wb-DOMAIN.log for source=/var/log/samba/wb-DOMAIN.log.&lt;/P&gt;

&lt;P&gt;Note that this problem is not only for samba, its for everything under /var/log.&lt;/P&gt;

&lt;P&gt;I am still somewhat new to Splunk, so please give examples &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 13:23:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Make-Splunk-stop-learning-sourcetypes/m-p/43846#M8197</guid>
      <dc:creator>lsolberg</dc:creator>
      <dc:date>2020-09-28T13:23:42Z</dc:date>
    </item>
    <item>
      <title>Re: Make Splunk stop learning sourcetypes!</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Make-Splunk-stop-learning-sourcetypes/m-p/43847#M8198</link>
      <description>&lt;P&gt;I assume that the problem isn't really in &lt;CODE&gt;sourcetyping&lt;/CODE&gt; but rather in forwarding.  You need a &lt;EM&gt;properly&lt;/EM&gt; restrictive entry in &lt;CODE&gt;inputs.conf&lt;/CODE&gt; and by that I mean that you should have a whitelist OR a blacklist (e.g. do not just monitor a directory but rather some specific stuff in that directly) and prevent Splunk from digging any deeper than that by using the &lt;CODE&gt;recursive = false&lt;/CODE&gt; directive.  Read the "MONITOR:" section here:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/inputsconf" target="test_blank"&gt;http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/inputsconf&lt;/A&gt;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;If you &lt;EM&gt;really&lt;/EM&gt; would like to disable learning, edit $SPLUNK_HOME/etc/apps/learned/local/app.conf and make sure it says this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[install]
state = disabled
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Sun, 21 Jun 2015 20:49:18 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Make-Splunk-stop-learning-sourcetypes/m-p/43847#M8198</guid>
      <dc:creator>woodcock</dc:creator>
      <dc:date>2015-06-21T20:49:18Z</dc:date>
    </item>
  </channel>
</rss>

