I am having issues with all versions of UF.
I installed Splunk_TA_nix 7.0.0 on some Splunk UF 22.214.171.124 and old Splunk UF 6.2.4
It has the following stanza in the local/inputs.conf:
blacklist=(lastlog|anaconda.syslog)disabled = 0
For some reason I have many different sourcetypes:
| tstats count where (source=*cron earliest=-4h) by source sourcetype
source sourcetype count
1 /var/log/cron cron 40884
2 /var/log/cron cron-2 41597
3 /var/log/cron cron-3 15487
4 /var/log/cron cron-4 3019
5 /var/log/cron cron-5 681
6 /var/log/cron cron-too_small 3192
7 /var/log/cron monolith_tool_usage 169
8 /var/log/cron sendmail_syslog 1732
9 /var/log/cron syslog 58095
I tried everything to find how this sourcetype is set, I cannot see anything in our indexer of UF props.conf. All the sources in the same stanza have the same issue, but cron is so far the worse.
Any help will be very appreciated,
I would like to take this moment to say that your best bet is to comment out this entry in the Nix TA until Splunk has a better way to get sourcetypes from linux - cron is a great source of data but it doesn't seem that Splunk cares about making the data actually useful, at least in this instance. If you can create your own sourcetype, you should definitely share it on Github, but other than that, I don't know that we're going to be seeing any tools for this any time soon. There may be a good use case for a supplementary TA that adds onto the linux TA which monitors standard files and assigns/defines the correct sourcetypes for them.
I presume this is coming from the learned app in Splunk. Splunk automatically stores the sourcetype in props.conf if it is not mentioned by default.
Please check if the sourcetype is available in the learned app in both UF & indexer. $SPLUNK_HOME\etc\apps\learned\local\