All Apps and Add-ons

sourcetype cron, cron-2 or syslog

GersonGarcia
Path Finder

All,

I am having issues with all versions of UF.

I installed Splunk_TA_nix 7.0.0 on some Splunk UF 8.0.2.1 and old Splunk UF 6.2.4

It has the following stanza in the local/inputs.conf:

[monitor:///var/log]
whitelist=(.log|log$|messages|secure|auth|mesg$|cron$|acpid$|.out)
blacklist=(lastlog|anaconda.syslog)disabled = 0

For some reason I have many different sourcetypes:

| tstats count where (source=*cron earliest=-4h) by source sourcetype

source sourcetype count
1 /var/log/cron cron 40884
2 /var/log/cron cron-2 41597
3 /var/log/cron cron-3 15487
4 /var/log/cron cron-4 3019
5 /var/log/cron cron-5 681
6 /var/log/cron cron-too_small 3192
7 /var/log/cron monolith_tool_usage 169
8 /var/log/cron sendmail_syslog 1732
9 /var/log/cron syslog 58095

I tried everything to find how this sourcetype is set, I cannot see anything in our indexer of UF props.conf. All the sources in the same stanza have the same issue, but cron is so far the worse.

Any help will be very appreciated,

Gerson Garcia

haraksin
Path Finder

I would like to take this moment to say that your best bet is to comment out this entry in the Nix TA until Splunk has a better way to get sourcetypes from linux - cron is a great source of data but it doesn't seem that Splunk cares about making the data actually useful, at least in this instance. If you can create your own sourcetype, you should definitely share it on Github, but other than that, I don't know that we're going to be seeing any tools for this any time soon. There may be a good use case for a supplementary TA that adds onto the linux TA which monitors standard files and assigns/defines the correct sourcetypes for them.

0 Karma

saravanan90
Contributor

I presume this is coming from the learned app in Splunk. Splunk automatically stores the sourcetype in props.conf if it is not mentioned by default.

Please check if the sourcetype is available in the learned app in both UF & indexer. $SPLUNK_HOME\etc\apps\learned\local\

0 Karma

esalesap
Path Finder

I want to know the answer to this too!

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...