Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I configure custom sourcetypes on Universal Forwarders and Indexers?

rob_lamb
Explorer
‎02-02-2016 02:17 PM

I have two Linux VMs set up, one with a Universal Forwarder and one with an Indexer. I have a script that generates dummy data (on the forwarder) that needs a custom sourcetype set up in order to parse the events correctly.

On the Universal Forwarder props.conf is currently empty, and inputs.conf contains:

[monitor:///home/splunk/data/data1*.soap]
_TCP_ROUTING = SOAP
disabled = false
sourcetype = soaptype

On the Indexer, props.conf contains:

[soaptype]
BREAK_ONLY_BEFORE = <SOAP-ENV:Envelope
TIME_PREFIX = <ns1:dateRequested>

As of right now my events aren't making it into the indexer at all. If I remove the sourcetype from inputs.conf and props.conf, data appears, but it is splitting the events incorrectly.

Any suggestions? Many thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎02-02-2016 02:56 PM

Sounds like you have a few problems here.. First let's address the forwarder not sending data to the indexer.. Do you have the hostname specified in the outputs.conf on the forwarder? If not then this will solve your problem, don't forget to restart the Splunk service on the forwarder

Your next issue is defining the sourcetype so it remains constant. Go into the props.conf on the indexer and add this stanza then restart your Splunk service on the indexer. If you specify if your sourcetype in the props.conf then it will automatically default to what you specified when the data is being indexed 

[soaptype]
 BREAK_ONLY_BEFORE = <SOAP-ENV:Envelope
 TIME_PREFIX = <ns1:dateRequested>
 sourcetype = soaptype

View solution in original post

Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎02-02-2016 02:56 PM

Sounds like you have a few problems here.. First let's address the forwarder not sending data to the indexer.. Do you have the hostname specified in the outputs.conf on the forwarder? If not then this will solve your problem, don't forget to restart the Splunk service on the forwarder

Your next issue is defining the sourcetype so it remains constant. Go into the props.conf on the indexer and add this stanza then restart your Splunk service on the indexer. If you specify if your sourcetype in the props.conf then it will automatically default to what you specified when the data is being indexed 

[soaptype]
 BREAK_ONLY_BEFORE = <SOAP-ENV:Envelope
 TIME_PREFIX = <ns1:dateRequested>
 sourcetype = soaptype
Reply
Solved! Jump to solution

rob_lamb
Explorer
‎02-03-2016 07:47 AM

I've added "sourcetype = soaptype" to my [soaptype] stanza on the indexer's props.conf per your note above, and restarted the indexer. I also cleaned up my outputs.conf file on my Universal Forwarder and restarted that.
When I dropped in a new file, the indexer picked it up and parsed it correctly. Thanks very much for the assistance!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...