All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Unix and Linux: Where is the sourcetype for /var/log/authlog defined?

hylam
Contributor
‎06-29-2015 07:16 PM

I have installed the unix TA on solaris 10. The unix TA is forwarding authentication failures events recorded in /var/log/authlog to index=os. I cannot locate the sourcetype=authlog in the dot conf files. Does it use the 3rd part of the path as the sourcetype? Where is this defined? Thx.

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎07-08-2015 08:00 PM

Hi,

probably one of these areas:

[Splunk_TA_nix]$ grep -rin solaris default | grep -i sourcetype
default/props.conf:421:sourcetype = Solaris:Memory
default/props.conf:457:sourcetype = Solaris:Service
default/props.conf:542:sourcetype = Solaris:Version

But more to the point, the naughty routing into an index is controlled by inputs.conf. Here's how to override that:

$ head etc/apps/Splunk_TA_nix/local/inputs.conf 
[monitor:///etc]
disabled = false
index = default

[monitor:///home/.../.bash_history]
disabled = false
index = default
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...