Solved: linux_secure by default

amortiz · ‎10-14-2013

I have results from a search that splunk has tagged as linux_secure (sourcetype) appears by default. Is there a way to turn that option off?

Thanks,
Al
Splunk 5.03

kristian_kolb · ‎10-18-2013

You should set sourcetypes manually in inputs.conf.

Sourcetype information is not being 'tagged' (this word has specific meaning in splunkese). When data is being input into splunk, a few metadata attributes are being set, prior to the data being stored in an index. The ones that you'll most likely come across, and which are of greatest importance to you are probably;

host
source
sourcetype
index

Once the data has been indexed, they cannot be changed. If so required, you'll need to clear your indexes and re-read the files.

Without going into too much detail, I would recommend always configuring these for 3 and 4 (only if necessary for 1 and 2). So in inputs.conf on your forwarder, assuming that is what you have;

[monitor:///some/path/to/a/file]
sourcetype = blah
index = bleh

Setting the proper sourcetype will let you control field extraction in a manageable manner. Setting the index will let you deal with different retention times and access rights to stored data.

http://docs.splunk.com/Documentation/Splunk/6.0/Data/Whysourcetypesmatter
http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Setupmultipleindexes
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

Hope this helps,

/K

View solution in original post

kristian_kolb · ‎10-18-2013

You should set sourcetypes manually in inputs.conf.

Sourcetype information is not being 'tagged' (this word has specific meaning in splunkese). When data is being input into splunk, a few metadata attributes are being set, prior to the data being stored in an index. The ones that you'll most likely come across, and which are of greatest importance to you are probably;

host
source
sourcetype
index

Once the data has been indexed, they cannot be changed. If so required, you'll need to clear your indexes and re-read the files.

Without going into too much detail, I would recommend always configuring these for 3 and 4 (only if necessary for 1 and 2). So in inputs.conf on your forwarder, assuming that is what you have;

[monitor:///some/path/to/a/file]
sourcetype = blah
index = bleh

Setting the proper sourcetype will let you control field extraction in a manageable manner. Setting the index will let you deal with different retention times and access rights to stored data.

http://docs.splunk.com/Documentation/Splunk/6.0/Data/Whysourcetypesmatter
http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Setupmultipleindexes
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

Hope this helps,

/K

amortiz · ‎10-18-2013

Thanks, your answer matches what I've slowly been learning!
Have a great weekend.
Al

amortiz · ‎10-18-2013

It wasn't really a search, we have a OS running on top on Linux that returns specific data to our operations. Splunk tags our data linux_secure, and it appears changes some of the formatting I am used to looking at. I'd like to be able to turn the auto source_type off until I'm sure all of our audit requirements are being picked up by splunk.

mikelanghorst · ‎10-15-2013

sourcetypes are assigned to sources upon ingestion not tagged from the search, what's the source that's returning with this source type. What's the search you're dealing with?

linux_secure by default

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Customer success is front and center at .conf25

Are you a member of the Splunk Community?

linux_secure by default

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Customer success is front and center at .conf25