All Apps and Add-ons

Apply sourcetype on FTP Input (FTP Pull App)

pgylbert
New Member

I have a production equipment storing a log that I can access through FTP. I installed FTP Pull and set up an input and it works OK that far. However, the file format is a bit odd, so simply taking it in is not enough. (It has a special timestamp that Splunk does not interpret correctly out of the box, and there is no header line in the file). I have created a new sourcetype where I configured timestamp format and field names. When I upload the file manually and apply that particular sourcetype, data is indexed properly. I selected this sourcetype in the FTP Input configuration but it does not seem to take effect. The indexed events get this selected sourcetype associated, but the configuration of the sourcetype is not observed, so when the file comes through FTP, it is indexed incorrectly.

Is there a way to enforce the FTP Input to actually apply the configuration of the selected sourcetype?

Thanks in advance for sharing your thoughts or experience with me

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...