Getting Data In

How can it be that a source type in use isn't listed in Settings: (Data) Source types?

DUThibault
Contributor

We have a single Splunk instance (the server) with a number of Forwarders on remote machines (the clients). I've installed Splunk_TA_nix which added a number of scripts as data inputs on the clients and on the server. I want to exclude the server, but since there is no way (that I know of) to reassign a script (or any data input for that matter) to a Server class, I first disabled the scripts on the server. This also disabled them on the clients (because the app deployment keeps Splunk_TA_nix in sync I suppose). So I started recreating the scripts as new data inputs assigned to a Server class that includes just the clients. But a number of the scripts have source types (auditd, Unix:ListeningPorts, etc.) that are absent from the Settings: (Data) Source types display, and as a result I cannot create the corresponding new data inputs. At the Input Settings step, just before Review, the Select Source Type drop-down refuses to find the ones I need.

Am I missing something obvious? Is this a bug? Is there a way to do this that is less painful, maybe by editing some .conf file(s)?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

If the attribute pulldown_type=true is not set for your relevant sourcetype in props.conf, it won't show up in the UI.

0 Karma

DUThibault
Contributor

Interesting to know (at this point I sure wish that the Splunk Web Source Types page had a "Show hidden source types" check box; likewise for the Input Settings screen of the Add New Data Input work flow), but that does not seem to be what's happening here. Scouring the Splunk_TA_nix and splunk_app_for_nix archives, the only file that contains "pulldown_type" is Splunk_TA_nix/default/props.conf, and its value is true. So that's not why 9 of the 28 source types (auditd, Unix:ListeningPorts, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:UserAccounts, Unix:Version, Unix:VSFTPDConfig) are invisible to Settings: (Data) Source types.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...