Hello all,
I have a single data source pointing to a dedicated UDP port for syslog events. When creating the input, I ensured the source type override was set to what was expected and also ensured the data went into the same index called meraki.
I can search the events by index however they do not appear in data summary nor do they appear when searching by anything with the source or source type. If I navigate into the index, I can see however two source and sourcetypes present called Meraki. I have no transforms or props in etc/local as this is my first data source. I cannot figure out how to get this resolved and the TA will not properly parse events otherwise, as all my tags and event types will them work.
Does anyone have any suggestions please as this is the third answer post in two weeks?
Thank you!
So I ended up looking at what input.conf was actually in the local directory, when there was none listed - it explained what I saw in the data summary. These did exist in the TA under etc/apps and in the default directories but not in the primary local. After adding this and adding the line for ucp 514 along with source and sourcetype to be used, the events magically aligned. I would have thought adding this as an input with these parameters would have added a line and the same information I used to create the input and ensure data was going to the same index but it appears not.
Therefore, the best thing I can recommend for those running into this is to check inputs and props, regardless if it's a single instance and ensure there are settings in the local directories to override any others.
So I ended up looking at what input.conf was actually in the local directory, when there was none listed - it explained what I saw in the data summary. These did exist in the TA under etc/apps and in the default directories but not in the primary local. After adding this and adding the line for ucp 514 along with source and sourcetype to be used, the events magically aligned. I would have thought adding this as an input with these parameters would have added a line and the same information I used to create the input and ensure data was going to the same index but it appears not.
Therefore, the best thing I can recommend for those running into this is to check inputs and props, regardless if it's a single instance and ensure there are settings in the local directories to override any others.
Can you try using this command and check what parameter are being used by splunk in your inputs and props.conf
(To check inputs)
$SPLUNK_HOME$/bin/splunk cmd btool inputs list --debug
(To check props)
$SPLUNK_HOME$/bin/splunk cmd btool props list --debug
Let me know if this helps!!
Thank you for your reply, I will try that and see what is returned.