https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-Sourcetype-name-changes-itself/m-p/480800#M82434 <P>Hello <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/211033">@ea7777777</a> ,</P> <P>are the log files in this folder being renamed? If yes, do they have the similar suffix (1-2-2-2)?</P> <P>check on indexer (and on UF too, if you use INDEXED_EXTRACTIONS or local_processing) if there is any sourcetype renaming in any transforms.conf file:</P> <P>on linux:</P> <PRE><CODE>grep -Er MetaData:Sourcetype /opt/splunk/etc/* </CODE></PRE> <P>on Windows:</P> <PRE><CODE>findstr /s MetaData:Sourcetype c:\ProgramFiles\Splunk\etc\* </CODE></PRE> <P>or by using btool</P> <PRE><CODE>splunk btool transforms list --debug |grep MetaData:Sourcetype splunk btool transforms list --debug |findstr MetaData:Sourcetype </CODE></PRE> Wed, 30 Sep 2020 05:03:13 GMT PavelP 2020-09-30T05:03:13Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-Sourcetype-name-changes-itself/m-p/480797#M82431 <P>Hello,</P> <P>a Universal Forwarder (7.0.1) is watches an textfile. The parameter are following:</P> <PRE><CODE>[default] host = RBD9EUFN [monitor://C:\ProgramData\Cognex\In-Sight\Splunk\Log_Cam] index = rbg_ff1_stand_allone_ant2 sourcetype = rbg_ff1_stand_allone_ant2_sourcetype crcSalt = &lt;SOURCE&gt; followTail = 1 </CODE></PRE> <P>The strange thing is, the sourcetype name changes itself! Why?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8745i5B916F8C810957FF/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 20 Apr 2020 13:20:38 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-Sourcetype-name-changes-itself/m-p/480797#M82431 ea7777777 2020-04-20T13:20:38Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-Sourcetype-name-changes-itself/m-p/480798#M82432 <P>Try this instead:</P> <PRE><CODE>tstats count where index=rbg_ff1_stand_allone_ant2 by sourcetype </CODE></PRE> Mon, 20 Apr 2020 13:58:16 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-Sourcetype-name-changes-itself/m-p/480798#M82432 codebuilder 2020-04-20T13:58:16Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-Sourcetype-name-changes-itself/m-p/480799#M82433 <P>The host name in your screen shot does not match the host name in your config.</P> Mon, 20 Apr 2020 14:03:45 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-Sourcetype-name-changes-itself/m-p/480799#M82433 richgalloway 2020-04-20T14:03:45Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-Sourcetype-name-changes-itself/m-p/480800#M82434 <P>Hello <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/211033">@ea7777777</a> ,</P> <P>are the log files in this folder being renamed? If yes, do they have the similar suffix (1-2-2-2)?</P> <P>check on indexer (and on UF too, if you use INDEXED_EXTRACTIONS or local_processing) if there is any sourcetype renaming in any transforms.conf file:</P> <P>on linux:</P> <PRE><CODE>grep -Er MetaData:Sourcetype /opt/splunk/etc/* </CODE></PRE> <P>on Windows:</P> <PRE><CODE>findstr /s MetaData:Sourcetype c:\ProgramFiles\Splunk\etc\* </CODE></PRE> <P>or by using btool</P> <PRE><CODE>splunk btool transforms list --debug |grep MetaData:Sourcetype splunk btool transforms list --debug |findstr MetaData:Sourcetype </CODE></PRE> Wed, 30 Sep 2020 05:03:13 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-Sourcetype-name-changes-itself/m-p/480800#M82434 PavelP 2020-09-30T05:03:13Z