topic Why does my sourcetype works only on standalone environment ? in Splunk Search

Why does my sourcetype works only on standalone environment ?

Théophane_GUE — Fri, 07 Jun 2024 13:57:36 GMT

Hello,
I've recently tested a sourcetype for a new input via the props.conf file on my standalone dev environment, and it worked perfectly -datas were correctly parsed -. But when I put it in my prod environment, the data which where attributed the sourcetype weren't parsed at all.

Now, my prod environment is distributed (HFs->DS->Indexers->SH) but I've been careful to put the sourcetype both in the Heavy forwarder and in the searchhead as recommended, and i've restart both the HF and the SH but it still doesn't work.

Does anyone have an idea of what I can do to fix it?

Re: Why does my sourcetype works only on standalone environment ?

inventsekar — Fri, 07 Jun 2024 16:57:57 GMT

Hi @Théophane_GUE .. pls update us what sourcetype name pls.

from UF, how do you send the logs?.. thru any apps/addons? or just inputs.conf?

Re: Why does my sourcetype works only on standalone environment ?

Théophane_GUE — Fri, 07 Jun 2024 18:53:36 GMT

Hi,
The file was placed in a monitored folder from the HF (so through inputs.conf), but even when we tested uploading it via the GUI -like we tested in the dev environment- it still wasn't parsed

For the sourcetype, it was a custom one:

[Sourcetype_1]
BREAK_ONLY_BEFORE_DATE =
CHARSET = UTF-8
DATETIME_CONFIG =
EVAL-CREATION_DATE =
EVAL-DEPT =
EVAL-FIRST_NAME =
EVAL-FONCTION =
EVAL-FULL_NAME = if(match(Name, "(Disabled)"), substr(Name, 1, len(Name)-11), Name)
EVAL-LAST_LOGON = replace(Last_Seen, "(\d+)\.(\d+)\.(\d+)", "\3.\2.\1")
EVAL-LAST_NAME =
EVAL-LOCKED = if(match(Name, "(Disabled)"), "Yes", "No")
EVAL-LOCK_REASON =
EVAL-LOGIN = Name
EVAL-MAIL = Email
EVAL-METROID =
EVAL-PROFILE = Roles."|".Scope."|".Groups
EVAL-PWD_VALID_TO =
EVAL-STORE_CODE_5digits =
EVAL-USER_IDENTIFICATION = "1 Firstname 1 Name"
EVAL-VALID_FROM =
EVAL-VALID_TO =
EXTRACT-DATE_EXTRACTION = (?i)^.+_(?P<DATE_EXTRACTION>\d{8})\.csv in source
EXTRACT-Name,Email,Scope,Last_Seen =
EXTRACT-username,type,firstname,lastname,email =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
disabled = false
pulldown_type = 1
EXTRACT-Name,Roles,Email,Groups,Language,Agent_Type,Scope,Last_Seen = ^(?<Name>[^;]*);(?<Roles>[^;]*);(?<Email>[^;]*);(?<Groups>[^;]*);(?<Language>[^;]*);(?<Agent_Type>[^;]*);(?<Scope>[^;]*);(?<Last_Seen>[^;]*)
#MAX_TIMESTAMP_LOOKAHEAD = 1000
#HEADER_FIELD_LINE_NUMBER = 1

I know the sourcetype isn't clean or anything but why would he work on standalone, and not in distributed environment ?