Deployment Architecture

linux_secure by default

amortiz
Explorer

I have results from a search that splunk has tagged as linux_secure (sourcetype) appears by default. Is there a way to turn that option off?

Thanks,
Al
Splunk 5.03

0 Karma
1 Solution

kristian_kolb
Ultra Champion

You should set sourcetypes manually in inputs.conf.

Sourcetype information is not being 'tagged' (this word has specific meaning in splunkese). When data is being input into splunk, a few metadata attributes are being set, prior to the data being stored in an index. The ones that you'll most likely come across, and which are of greatest importance to you are probably;

  1. host
  2. source
  3. sourcetype
  4. index

Once the data has been indexed, they cannot be changed. If so required, you'll need to clear your indexes and re-read the files.

Without going into too much detail, I would recommend always configuring these for 3 and 4 (only if necessary for 1 and 2). So in inputs.conf on your forwarder, assuming that is what you have;

[monitor:///some/path/to/a/file]
sourcetype = blah
index = bleh

Setting the proper sourcetype will let you control field extraction in a manageable manner. Setting the index will let you deal with different retention times and access rights to stored data.

http://docs.splunk.com/Documentation/Splunk/6.0/Data/Whysourcetypesmatter
http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Setupmultipleindexes
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

Hope this helps,

/K

View solution in original post

kristian_kolb
Ultra Champion

You should set sourcetypes manually in inputs.conf.

Sourcetype information is not being 'tagged' (this word has specific meaning in splunkese). When data is being input into splunk, a few metadata attributes are being set, prior to the data being stored in an index. The ones that you'll most likely come across, and which are of greatest importance to you are probably;

  1. host
  2. source
  3. sourcetype
  4. index

Once the data has been indexed, they cannot be changed. If so required, you'll need to clear your indexes and re-read the files.

Without going into too much detail, I would recommend always configuring these for 3 and 4 (only if necessary for 1 and 2). So in inputs.conf on your forwarder, assuming that is what you have;

[monitor:///some/path/to/a/file]
sourcetype = blah
index = bleh

Setting the proper sourcetype will let you control field extraction in a manageable manner. Setting the index will let you deal with different retention times and access rights to stored data.

http://docs.splunk.com/Documentation/Splunk/6.0/Data/Whysourcetypesmatter
http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Setupmultipleindexes
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

Hope this helps,

/K

View solution in original post

amortiz
Explorer

Thanks, your answer matches what I've slowly been learning!
Have a great weekend.
Al

0 Karma

amortiz
Explorer

It wasn't really a search, we have a OS running on top on Linux that returns specific data to our operations. Splunk tags our data linux_secure, and it appears changes some of the formatting I am used to looking at. I'd like to be able to turn the auto source_type off until I'm sure all of our audit requirements are being picked up by splunk.

0 Karma

mikelanghorst
Motivator

sourcetypes are assigned to sources upon ingestion not tagged from the search, what's the source that's returning with this source type. What's the search you're dealing with?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!