Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with Sourcetype name

alexspunkshell
Contributor
‎09-22-2023 09:50 AM

I am getting different sourcetype name in my logs. But I want the sourcetype name as per conf file.

Below are the screenshots of input.conf, props.conf & transforms.conf .

alexspunkshell_0-1695400950043.png

Props & Transforms

alexspunkshell_2-1695401306383.png

 

Inputs

alexspunkshell_3-1695401342803.png

 

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-22-2023 11:22 AM

Please use btool to ensure no other files add settings for the sourcetype.

 

splunk btool --debug props list vclog | grep -v "system\/default"

 

What query created the output in the first screenshot?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

alexspunkshell
Contributor
‎09-22-2023 11:45 AM

@richgalloway  No luck!  But I confirm there is no other files and settings.

Command used : index=vmware | stats count by sourcetype

Currently syslog is ingesting via universal forwarder.

Current configuration

input.conf
[monitor:///opt/syslog/vmware/10.149.xx.xx/*-syslog.log]
disabled = false
host_segment = 4
index = vmware-vclog
sourcetype = vclog
initCrcLength = 2048

Props.conf
[source::/opt/syslog/vmware/10.149.xx.xx/*]
TRANSFORMS-null= setnull

[vclog]
LINE_BREAKER = ([\r\n]+)\<\d+\>\d
SHOULD_LINEMERGE = false

transforms.conf
[setnull]
REGEX = ^\w+\W
DESK_KEY = queue
FORMAT = nullQueue

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...