Re: Issue with Sourcetype name

alexspunkshell · ‎09-22-2023

I am getting different sourcetype name in my logs. But I want the sourcetype name as per conf file.

Below are the screenshots of input.conf, props.conf & transforms.conf .

Props & Transforms

Inputs

richgalloway · ‎09-22-2023

Please use btool to ensure no other files add settings for the sourcetype.

splunk btool --debug props list vclog | grep -v "system\/default"

What query created the output in the first screenshot?

---
If this reply helps you, Karma would be appreciated.

alexspunkshell · ‎09-22-2023

@richgalloway No luck! But I confirm there is no other files and settings.

Command used : index=vmware | stats count by sourcetype

Currently syslog is ingesting via universal forwarder.

Current configuration

input.conf
[monitor:///opt/syslog/vmware/10.149.xx.xx/*-syslog.log]
disabled = false
host_segment = 4
index = vmware-vclog
sourcetype = vclog
initCrcLength = 2048

Props.conf
[source::/opt/syslog/vmware/10.149.xx.xx/*]
TRANSFORMS-null= setnull

[vclog]
LINE_BREAKER = ([\r\n]+)\<\d+\>\d
SHOULD_LINEMERGE = false

transforms.conf
[setnull]
REGEX = ^\w+\W
DESK_KEY = queue
FORMAT = nullQueue

Issue with Sourcetype name

inputs.conf

Linux

props.conf

transforms.conf

universal forwarder

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!