Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it normal to have both sourcetype UDP:514 and sourcetype syslog?

jgorman_THG
Explorer
‎08-29-2016 09:37 AM

Hello,

My colleague configured 1 heavy forwarder and I configured the other 2. In my Splunk, I see both sourcetype UDP:514 and sourcetype syslog.

Is this normal, or did we set different sourcetypes when we set them up?

We used the CLI and when I check \splunk\home\etc\local\inputs.conf the file has almost nothing in it, except the host...

Can someone tell me where I can go to compare on the 2 systems if we have set different sourcetypes?

Thanks,

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-29-2016 12:13 PM

Best practice for ingesting syslog data is to send it to a syslog/syslog-ng server, which writes to directories/files and have a universal forwarder monitor those files. Only this approach allows you to assign proper sourctypes to your log data. "syslog" is not a very meaningful sourcetype, when users want to try and find logs from firewalls, IPSs, switches, etc.

Having said that: You can run a search to identify which of your HFs is sending which sourcetype and then check your configuration on the relevant server.
You can also run

./splunk cmd btool inputs list --debug

to list out all configuration settings for inputs.conf and it will tell you which configuration file it was taken from.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...