https://community.splunk.com/t5/Splunk-Search/Unable-to-create-sourcetype/m-p/484411#M193426 <P>I am trying to create a souretype "meraki" on the GUI. </P> <P>But it is saying "Sourcetype meraki already exists"</P> <P>sourcetype meraki does not exist in the list of sourcetypes. What could be the problem. Why it is not allowing me to create sourcetype.</P> <P>Earlier I created an index with name "meraki".</P> Wed, 29 Apr 2020 09:06:22 GMT pratapa 2020-04-29T09:06:22Z https://community.splunk.com/t5/Splunk-Search/Unable-to-create-sourcetype/m-p/484411#M193426 <P>I am trying to create a souretype "meraki" on the GUI. </P> <P>But it is saying "Sourcetype meraki already exists"</P> <P>sourcetype meraki does not exist in the list of sourcetypes. What could be the problem. Why it is not allowing me to create sourcetype.</P> <P>Earlier I created an index with name "meraki".</P> Wed, 29 Apr 2020 09:06:22 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-create-sourcetype/m-p/484411#M193426 pratapa 2020-04-29T09:06:22Z https://community.splunk.com/t5/Splunk-Search/Unable-to-create-sourcetype/m-p/484412#M193427 <P>Hello @pratapa,</P> <P>do you have TA-meraki installed? Check under Manage Apps.</P> <P>You can see meraki sourcetype definition with:</P> <PRE><CODE> $SPLUNK_HOME/bin/splunk btool props list --debug meraki </CODE></PRE> Wed, 29 Apr 2020 12:10:35 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-create-sourcetype/m-p/484412#M193427 PavelP 2020-04-29T12:10:35Z https://community.splunk.com/t5/Splunk-Search/Unable-to-create-sourcetype/m-p/484413#M193428 <P>You can build a sourcetype from the web UI, but that interface does not actually install it. It's actually gone once you close or leave that page.</P> <P>Once you've finished creating the sourcetype you'll need to copy the stanza text that is generated and paste it into props.conf then either cycle Splunk or use the deployer to push it out if it's going to be part of an app.</P> Wed, 29 Apr 2020 14:14:32 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-create-sourcetype/m-p/484413#M193428 codebuilder 2020-04-29T14:14:32Z https://community.splunk.com/t5/Splunk-Search/Unable-to-create-sourcetype/m-p/484414#M193429 <P>Yes we installed TA-meraki.</P> <P>Following is the output of $SPLUNK_HOME/bin/splunk btool props list --debug meraki</P> <P>./splunk btool props list --debug meraki</P> <P>/opt/splunk/etc/apps/TA-meraki/default/props.conf [meraki]<BR /> /opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True<BR /> /opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True<BR /> /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true<BR /> /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE =<BR /> /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True<BR /> /opt/splunk/etc/system/default/props.conf CHARSET = UTF-8<BR /> /opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml<BR /> /opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000</P> <H1>cat props.conf</H1> <P>[meraki]</P> <H1>This line is needed to be on the indexer or heavy forwarder</H1> <H1>meraki includes their own date/time which is a unix timestamp, this transforms detect it and removes it</H1> <H1>which saves you data</H1> <P>TRANSFORMS-meraki_date_clipper = meraki_date_clipper</P> <P>KV_MODE = none</P> <P>REPORT-dvc = meraki_dvc<BR /> REPORT-dvc2 = meraki_dvc2<BR /> REPORT-dvc_ip = meraki_dvc_ip<BR /> REPORT-dvc_ip2 = meraki_dvc_ip2<BR /> REPORT-content_filtering_generic = meraki_content_filtering_generic<BR /> REPORT-transport = meraki_transport<BR /> REPORT-url_protocol = meraki_url_protocol<BR /> REPORT-http_user_agent = meraki_http_user_agent<BR /> REPORT-src = meraki_src<BR /> REPORT-dst = meraki_dst<BR /> REPORT-http_method = meraki_http_method<BR /> REPORT-src_mac = meraki_src_mac<BR /> REPORT-user = meraki_user<BR /> REPORT-user2 = meraki_user2<BR /> REPORT-url = meraki_url<BR /> REPORT-url2 = meraki_url2<BR /> REPORT-category = meraki_category<BR /> REPORT-dest_port = meraki_dest_port<BR /> REPORT-dest_port2 = meraki_dest_port2<BR /> REPORT-src_port = meraki_src_port<BR /> REPORT-src_port2 = meraki_src_port2<BR /> REPORT-icmp_type = meraki_icmp_type<BR /> REPORT-meraki_action = meraki_action<BR /> REPORT-meraki_flows_action = meraki_flows_action<BR /> REPORT-meraki_priority = meraki_priority<BR /> REPORT-signature_id = meraki_signature_id<BR /> REPORT-signature = meraki_signature</P> <H2>Sets value for meraki_app; in REPORT first device that sets value overrides secondary queries</H2> <P>REPORT-meraki_1events_ad = meraki_events_ad<BR /> REPORT-meraki_2dhcp_conflict = meraki_dhcp_conflict<BR /> REPORT-meraki_3dhcp_lease_added = meraki_dhcp_lease_added<BR /> REPORT-meraki_4dhcp_lease_release = meraki_dhcp_lease_release<BR /> REPORT-meraki_5dhcp_lease_fail = meraki_dhcp_lease_fail<BR /> REPORT-meraki_6dhcp_lease_fail2 = meraki_dhcp_lease_fail2<BR /> REPORT-meraki_7port = meraki_port<BR /> REPORT-meraki_8authentication = meraki_authentication<BR /> REPORT-meraki_91wireless = meraki_events_wireless<BR /> REPORT-meraki_92app = meraki_app<BR /> REPORT-meraki_93app = meraki_app2</P> <H1>These handles the airmarshal_events</H1> <P>REPORT-air_signature = air_signature<BR /> REPORT-air_ssid = air_ssid<BR /> REPORT-air_bssid = air_bssid<BR /> REPORT-air_src_mac = air_src_mac<BR /> REPORT-air_dest_mac = air_dest_mac<BR /> REPORT-air_wired_mac = air_wired_mac<BR /> REPORT-air_client_mac = air_client_mac<BR /> REPORT-air_vlan_id = air_vlan_id<BR /> REPORT-air_channel = air_channel<BR /> REPORT-air_fc_type = air_fc_type<BR /> REPORT-air_fc_subtype = air_fc_subtype<BR /> REPORT-air_inter_arrival = air_inter_arrival<BR /> REPORT-air_dos_count = air_dos_count<BR /> REPORT-air_alarm_id = air_alarm_id<BR /> REPORT-air_state = air_state<BR /> REPORT-air_radio = air_radio<BR /> REPORT-air_packet = air_packet<BR /> REPORT-air_reason = air_reason<BR /> REPORT-air_rssi = air_rssi<BR /> REPORT-air_vap = air_vap<BR /> REPORT-air_client_ip = air_client_ip<BR /> REPORT-air_instigator = air_instigator<BR /> REPORT-air_duration = air_duration<BR /> REPORT-air_last_auth_ago = air_last_auth_ago<BR /> REPORT-air_is_wpa = air_is_wpa<BR /> REPORT-air_full_conn = air_full_conn<BR /> REPORT-air_ip_resp = air_ip_resp<BR /> REPORT-air_ip_src = air_ip_src<BR /> REPORT-air_http_resp = air_http_resp<BR /> REPORT-air_arp_resp = air_arp_resp<BR /> REPORT-air_arp_src = air_arp_src<BR /> REPORT-air_dns_server = air_dns_server<BR /> REPORT-air_dns_req_rtt = air_dns_req_rtt<BR /> REPORT-air_dns_resp = air_dns_resp<BR /> REPORT-air_dhcp_lease_completed = air_dhcp_lease_completed<BR /> REPORT-air_dhcp_ip = air_dhcp_ip<BR /> REPORT-air_dhcp_server = air_dhcp_server<BR /> REPORT-air_dhcp_server_mac = air_dhcp_server_mac<BR /> REPORT-air_dhcp_resp = air_dhcp_resp<BR /> REPORT-air_aid = air_aid<BR /> REPORT-air_info = air_info<BR /> REPORT-air_type = air_type<BR /> REPORT-meraki_wireless_action = meraki_wireless_action</P> <P>FIELDALIAS-dest = dst AS dest<BR /> FIELDALIAS-src_ip = src AS src_ip<BR /> FIELDALIAS-srcip = src AS srcip<BR /> FIELDALIAS-dest_ip = dst AS dest_ip<BR /> FIELDALIAS-user_agent = http_user_agent AS user_agent<BR /> FIELDALIAS-ua = http_user_agent AS ua<BR /> FIELDALIAS-urlc = category AS urlc</P> <H1>FIELDALIAS-signature = category AS signature</H1> <P>FIELDALIAS-urlp = dest_port AS urlp<BR /> FIELDALIAS-client_ip = client_ip AS src_ip</P> <P>EVAL-http_user_agent_length = len(http_user_agent)<BR /> EVAL-ids_type = if(meraki_app=="ids-alerts", "network", if(meraki_app=="events-airmarshal","wireless",null()))<BR /> EVAL-app = "meraki-".meraki_app<BR /> EVAL-url_length = len(url)<BR /> EVAL-response_time = sum(arp_resp+dhcp_resp+ip_resp)</P> <H1>CIM states that (src|dest|x)_mac should be lower case</H1> <H1>docs.splunk.com/Documentation/CIM/latest/User/NetworkTraffic</H1> <P>EVAL-src_mac = lower(src_mac)<BR /> EVAL-dest_mac = lower(dest_mac)<BR /> EVAL-client_mac = lower(client_mac)<BR /> EVAL-cached = "0"<BR /> EVAL-lease_scope = if(len(lease_scope_subnet)=&gt;1,src."/".lease_scope_subnet,null())<BR /> EVAL-signature = coalesce(dhcpsignature,category,signature)<BR /> EVAL-category = coalesce(category,signature)<BR /> EVAL-signature_id = coalesce(dhcpsignature_id,signature_id)<BR /> EVAL-meraki_action = coalesce(meraki_action,meraki_dhcp_action,meraki_wireless_action,meraki_airmarshal_action)<BR /> EVAL-meraki_priority = coalesce(meraki_port_priority,meraki_priority,meraki_dhcp_priority,meraki_ad_priority,meraki_url_priority)</P> <P>LOOKUP-vendor_info_for_meraki = meraki_vendor_info_lookup sourcetype OUTPUT vendor,product,vendor_product<BR /> LOOKUP-action_for_meraki = meraki_action_lookup meraki_action OUTPUT action<BR /> LOOKUP-severity_for_meraki = meraki_severity_lookup meraki_priority OUTPUT severity<BR /> LOOKUP-icmp_code_for_meraki = meraki_icmp_code_lookup icmp_type OUTPUT icmp_code<BR /> LOOKUP-status_code_for_meraki = meraki_status_code_lookup meraki_app,meraki_action OUTPUT status_code,status,rule</P> <P>What I need to do to create sourcetype meraki.</P> Wed, 30 Sep 2020 05:21:22 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-create-sourcetype/m-p/484414#M193429 pratapa 2020-09-30T05:21:22Z