Getting Data In

Adding Sourcetype causes no results to come back

daniel333
Builder

Hello,

I added a transform/props for my Juniper SRX firewall logs to get sourcetyped as juniper_sa. Worked right out of the gate. BUT when I search by that source type I get no results. How ever clear as day I can see that source type on the logs

Another way of saying it is this:
as search of "index=firewall" returns events which clear as day have source type "juniper_sa" on them

a search of "index=firewall sourcetype=juniper_sa" returns no results.

I tried adding the transforms/props to my search head as well as intermediate servers. Didn't seem to matter. Same problem.

Any ideas?

0 Karma

woodcock
Esteemed Legend

The sourcetype=juniper_sa that is in your log text will not override the sourcetype=blah that Splunk will assign to your events unless you configure Splunk to do so. When you search in "Verbose" mode and click on the "All fields" hyperlink, what values does sourcetype have? I am quite sure it will not be juniper_sa. In any case, you need to provide your inputs.conf, props.conf, and transforms.conf if you would like more specific help.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...