All Apps and Add-ons

sourcetype cron, cron-2 or syslog

Explorer

All,

I am having issues with all versions of UF.

I installed Splunk_TA_nix 7.0.0 on some Splunk UF 8.0.2.1 and old Splunk UF 6.2.4

It has the following stanza in the local/inputs.conf:

[monitor:///var/log]
whitelist=(.log|log$|messages|secure|auth|mesg$|cron$|acpid$|.out)
blacklist=(lastlog|anaconda.syslog)disabled = 0

For some reason I have many different sourcetypes:

| tstats count where (source=*cron earliest=-4h) by source sourcetype

source sourcetype count
1 /var/log/cron cron 40884
2 /var/log/cron cron-2 41597
3 /var/log/cron cron-3 15487
4 /var/log/cron cron-4 3019
5 /var/log/cron cron-5 681
6 /var/log/cron cron-too_small 3192
7 /var/log/cron monolith_tool_usage 169
8 /var/log/cron sendmail_syslog 1732
9 /var/log/cron syslog 58095

I tried everything to find how this sourcetype is set, I cannot see anything in our indexer of UF props.conf. All the sources in the same stanza have the same issue, but cron is so far the worse.

Any help will be very appreciated,

Gerson Garcia

Explorer

I want to know the answer to this too!

0 Karma