Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to undo a command that changed the name of my sourcetype?

jgorman_THG
Explorer
‎11-21-2016 12:00 PM

Hello,

For some reason, when setting-up some heavy forwarders to accept syslog data on UDP 514, a colleague of mine ran the following command:

Splunk add UDP 514 -sourcetype udp:514.

This added the following stanza to %splunkhome%/etc/apps/search/local/inputs.conf:

[udp://514]
connection_host = ip
sourcetype = udp:514

This is forcing sourcetype name "udp:514" on all the data that come in on that port.

My question is, if I just remove the "sourcetype = udp:514", will all future data be assigned the correct automatic sourcetypes?

Thanks,

JG

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎11-21-2016 02:50 PM

Yes correct. You define the sourcetype in inputs.conf which your co-worker has done. You can remove the sourcetype line and it will auto assign the sourcetype. Reminder to restart the Splunk service for this change to take affect

0 Karma
Reply

jgorman_THG
Explorer
‎11-30-2016 12:51 PM

hi,

Thanks for your help.

Do I need to restart just the heavy forwarders, or the indexers as well?

Thanks,

JG

0 Karma
Reply

sshelly_splunk
Splunk Employee
Splunk Employee
‎11-30-2016 12:54 PM

You should only need to restart the heavy forwarder(s).

0 Karma
Reply

jgorman_THG
Explorer
‎11-30-2016 01:01 PM

HI!

I made the change and restarted the forwarders to no avail. I also restarted the indexer for good measure, but its still showing that same sourcetype.

Can you think of what else it might be or how else I could troubleshoot this?

Thanks,

JG

0 Karma
Reply

sshelly_splunk
Splunk Employee
Splunk Employee
‎11-21-2016 01:44 PM

You can remove that sourcetype statement. THe sourcetype than will be determined by the type of data coming in. You can add something like this:
[udp//:somehostip:514]
sourcetype=somesourcetype
[udp//:someotherhostip:514]
sourcetype=someothersourcetype

The statement:
[udp//:somehostip:514]
Means, accept only from this remote host on port 514, and apply this stanza to that host's data incoming, so you can have several stanzas for each host/sourcetype combo.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Observability - October 2025

What’s New?  We’re excited to announce the latest enhancements to Splunk Observability Cloud and share what’s ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened Audit Trail v2 wasn’t written in isolation—it was shaped by your voices. In ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...