Getting Data In

How can it be that a source type in use isn't listed in Settings: (Data) Source types?

DUThibault
Contributor

We have a single Splunk instance (the server) with a number of Forwarders on remote machines (the clients). I've installed Splunk_TA_nix which added a number of scripts as data inputs on the clients and on the server. I want to exclude the server, but since there is no way (that I know of) to reassign a script (or any data input for that matter) to a Server class, I first disabled the scripts on the server. This also disabled them on the clients (because the app deployment keeps Splunk_TA_nix in sync I suppose). So I started recreating the scripts as new data inputs assigned to a Server class that includes just the clients. But a number of the scripts have source types (auditd, Unix:ListeningPorts, etc.) that are absent from the Settings: (Data) Source types display, and as a result I cannot create the corresponding new data inputs. At the Input Settings step, just before Review, the Select Source Type drop-down refuses to find the ones I need.

Am I missing something obvious? Is this a bug? Is there a way to do this that is less painful, maybe by editing some .conf file(s)?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

If the attribute pulldown_type=true is not set for your relevant sourcetype in props.conf, it won't show up in the UI.

0 Karma

DUThibault
Contributor

Interesting to know (at this point I sure wish that the Splunk Web Source Types page had a "Show hidden source types" check box; likewise for the Input Settings screen of the Add New Data Input work flow), but that does not seem to be what's happening here. Scouring the Splunk_TA_nix and splunk_app_for_nix archives, the only file that contains "pulldown_type" is Splunk_TA_nix/default/props.conf, and its value is true. So that's not why 9 of the 28 source types (auditd, Unix:ListeningPorts, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:UserAccounts, Unix:Version, Unix:VSFTPDConfig) are invisible to Settings: (Data) Source types.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...