All Apps and Add-ons

sourcetype cron, cron-2 or syslog

GersonGarcia
Path Finder

All,

I am having issues with all versions of UF.

I installed Splunk_TA_nix 7.0.0 on some Splunk UF 8.0.2.1 and old Splunk UF 6.2.4

It has the following stanza in the local/inputs.conf:

[monitor:///var/log]
whitelist=(.log|log$|messages|secure|auth|mesg$|cron$|acpid$|.out)
blacklist=(lastlog|anaconda.syslog)disabled = 0

For some reason I have many different sourcetypes:

| tstats count where (source=*cron earliest=-4h) by source sourcetype

source sourcetype count
1 /var/log/cron cron 40884
2 /var/log/cron cron-2 41597
3 /var/log/cron cron-3 15487
4 /var/log/cron cron-4 3019
5 /var/log/cron cron-5 681
6 /var/log/cron cron-too_small 3192
7 /var/log/cron monolith_tool_usage 169
8 /var/log/cron sendmail_syslog 1732
9 /var/log/cron syslog 58095

I tried everything to find how this sourcetype is set, I cannot see anything in our indexer of UF props.conf. All the sources in the same stanza have the same issue, but cron is so far the worse.

Any help will be very appreciated,

Gerson Garcia

haraksin
Path Finder

I would like to take this moment to say that your best bet is to comment out this entry in the Nix TA until Splunk has a better way to get sourcetypes from linux - cron is a great source of data but it doesn't seem that Splunk cares about making the data actually useful, at least in this instance. If you can create your own sourcetype, you should definitely share it on Github, but other than that, I don't know that we're going to be seeing any tools for this any time soon. There may be a good use case for a supplementary TA that adds onto the linux TA which monitors standard files and assigns/defines the correct sourcetypes for them.

0 Karma

saravanan90
Contributor

I presume this is coming from the learned app in Splunk. Splunk automatically stores the sourcetype in props.conf if it is not mentioned by default.

Please check if the sourcetype is available in the learned app in both UF & indexer. $SPLUNK_HOME\etc\apps\learned\local\

esalesap
Path Finder

I want to know the answer to this too!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...