https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510324#M142909 <P>splunk 8.0.4.1, forwarder 7.0</P><P>ㅡㅡㅡ</P><P>inputs.conf</P><P>[monitor:///home/splunk/logdownload/mail/*/*.csv]</P><P>host:0.0.0.0</P><P>disabled=false</P><P>index=mail</P><P>soure=csv</P><P>sourcetyep=forwarder_mail</P><P>crcSalt=&lt;SOURCE&gt;</P><P>&nbsp;</P><P>[monitor:///home/splunk/logdownload/wk/*/*http*.csv]</P><P>host:0.0.0.0</P><P>disabled=false</P><P>index=web</P><P>soure=csv</P><P>sourcetyep=forwarder_http</P><P>crcSalt=&lt;SOURCE&gt;</P><P>&nbsp;</P><P>[monitor:///home/splunk/logdownload/wk/*/*netapps*.csv]</P><P>host:0.0.0.0</P><P>disabled=false</P><P>index=web</P><P>soure=csv</P><P>sourcetyep=forwarder_app</P><P>crcSalt=&lt;SOURCE&gt;</P><P>ㅡㅡㅡ</P><P>./splunk btool inpus list --debug, No problem.</P><P>&nbsp;</P><P>thank you for reply</P> Wed, 22 Jul 2020 01:42:24 GMT lifekis 2020-07-22T01:42:24Z https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510316#M142907 <P>I have a problem with parsing, so I want to change the sourcetype.</P> <P>ex) index=A sourcetype=A&nbsp; →&nbsp; index=A sourcetype=B</P> <P>I am using forwarder and restarted after changing sourcetype in inputs.conf.</P> <P>However, the log flows into the existing sourcetype.<BR />How can I solve it?</P> Thu, 23 Jul 2020 03:42:20 GMT https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510316#M142907 lifekis 2020-07-23T03:42:20Z https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510319#M142908 <P>Hi! Can you please share more details, like Splunk version and full data path to indexer?</P><P>Is this Universal Forwarder to Indexer?</P><P>Can you try&nbsp;</P><LI-CODE lang="markup">./splunk btool inputs list --debug</LI-CODE><P>and confirm the forwarder sees your changes?</P><P>&nbsp;</P> Wed, 22 Jul 2020 01:17:21 GMT https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510319#M142908 mattymo 2020-07-22T01:17:21Z https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510324#M142909 <P>splunk 8.0.4.1, forwarder 7.0</P><P>ㅡㅡㅡ</P><P>inputs.conf</P><P>[monitor:///home/splunk/logdownload/mail/*/*.csv]</P><P>host:0.0.0.0</P><P>disabled=false</P><P>index=mail</P><P>soure=csv</P><P>sourcetyep=forwarder_mail</P><P>crcSalt=&lt;SOURCE&gt;</P><P>&nbsp;</P><P>[monitor:///home/splunk/logdownload/wk/*/*http*.csv]</P><P>host:0.0.0.0</P><P>disabled=false</P><P>index=web</P><P>soure=csv</P><P>sourcetyep=forwarder_http</P><P>crcSalt=&lt;SOURCE&gt;</P><P>&nbsp;</P><P>[monitor:///home/splunk/logdownload/wk/*/*netapps*.csv]</P><P>host:0.0.0.0</P><P>disabled=false</P><P>index=web</P><P>soure=csv</P><P>sourcetyep=forwarder_app</P><P>crcSalt=&lt;SOURCE&gt;</P><P>ㅡㅡㅡ</P><P>./splunk btool inpus list --debug, No problem.</P><P>&nbsp;</P><P>thank you for reply</P> Wed, 22 Jul 2020 01:42:24 GMT https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510324#M142909 lifekis 2020-07-22T01:42:24Z https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510325#M142910 <P>sourcetype is mispelled - "sourceteyp". splunk is likely ignoring it. can you confirm btool does not show the proper sourcetype set?</P> Wed, 22 Jul 2020 01:52:59 GMT https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510325#M142910 mattymo 2020-07-22T01:52:59Z https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510326#M142911 <P>It's a typo and already checked&nbsp;sourcetype set..</P> Wed, 22 Jul 2020 01:52:55 GMT https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510326#M142911 lifekis 2020-07-22T01:52:55Z https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510327#M142912 <P>what sourcetype are you receiving? is it being overridden at the indexer?</P> Wed, 22 Jul 2020 01:55:21 GMT https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510327#M142912 mattymo 2020-07-22T01:55:21Z https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510332#M142913 <P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="img.png" style="width: 924px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9810i43EBB067A95D0CF7/image-size/large?v=v2&amp;px=999" role="button" title="img.png" alt="img.png" /></span></P> Wed, 22 Jul 2020 02:11:30 GMT https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510332#M142913 lifekis 2020-07-22T02:11:30Z https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510405#M142914 <P>ok...so the events get picked up and sent to where? any intermediate forwarders in the path to the indexers? what sourcetype are you seeing in the events in splunk UI?</P> Wed, 22 Jul 2020 11:25:52 GMT https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510405#M142914 mattymo 2020-07-22T11:25:52Z https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510554#M142915 <P>no&nbsp;<SPAN>intermediate and seeing sourcetype=forwarder.</SPAN></P><P>still can not change sourcetype T.T</P> Thu, 23 Jul 2020 00:08:01 GMT https://community.splunk.com/t5/Splunk-Search/how-can-we-change-forwarder-sourcetype/m-p/510554#M142915 lifekis 2020-07-23T00:08:01Z