Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can't find the right source type
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't find the right source type
Hello,
I got a problem in defining source type to get logs from a windows host on my lan.
I receive the logs over tcp on port 30000. I get the logs but they'rent parse well.
Which source type should i choose for my log to be parsed ?
The logs are the WinEventLog:Security - Application and system and what i receive is somthing like that :
4/25/13 4:23:22.000 x86yxB3z+9kgxE7x00x00x18x009x008x005x003x002x00/x00x16x00x13x00 host=10.1.1.2 sourcetype=WinEventLog source=tcp:30333 source=tcp:30000
As i configure my input data, i don't see any source type that match.
Also, can i parse my data at the source on the universal forwarder?
Thank you in advance for your response,
PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Judging by your questions so far I think a good thing for you would be to take the Splunk tutorial first of all (no offense - it's just very good at introducing all kinds of concepts!). For instance, you're asking if you can parse data on the universal forwarder - for one, most "parsing" in Splunk is done at search-time so it would make no sense to attempt it on a forwarder. Secondly, forwarders do not perform any other kind of parsing either, so the answer in either case would be no.
To me it looks like you're sending cooked data from a forwarder to a non-cooked (raw) TCP port on the indexer. You should not be setting up raw TCP inputs on the indexer for this, you should be configuring these ports as receiving ports in the "forwarding and receiving" section of the manager.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response,
The logs are the WinEventLog:Security - Application and system and what i receive is somthing like that :
4/25/13 4:23:22.000
\x86y\xB3z+9kg\xE7\x00\x00\x18\x009\x008\x005\x003\x002\x00/\x00\x16\x00\x13\x00
host=10.1.1.2 sourcetype=WinEventLog source=tcp:30333 source=tcp:30000
As i configure my input data, i don't see any source type that match.
Also, can i parse my data at the source on the universal forwarder?
Thank you in advance for your response,
PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are the logs?
You could set a predefined sourcetype if that is what you're sending. Or you start indexing your files, set whatever sourcetype you want, and create the parsing as you go along.
Remember that you can set the field extractions on already indexed data retroactively.
/K
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
