Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Several small log files - sourcetype = local-too_small

ikulcsar
Communicator
‎11-29-2017 05:47 AM

Hi,

I've got a problem with monitoring several log files generated by syslog-ng. There are 50+ switches. I am collecting their logs with a syslog-ng server, generating separate log files for every switch, every day. Some of them send only a few lines so that logs file is small.
I can collect all the logs, but I have got an issue with the sourcetype. All (most?) of the small log file has a local-too_small sourcetype instead of syslog, which I configured explicitly. Based on my research and testing, the auto sourcetype can cause this, but I already add the sourcetype. So what I am doing wrong, why the Splunk ignore it?

inputs.conf:
[monitor:///var/log/remotelogs/*/log/]
host_segment = 8
index = default
sourcetype=syslog

Regards,
István

Reply

ikulcsar
Communicator
‎12-02-2017 01:21 AM

Hi,

Finally, I reinstall it from the scratch with Splunk Ent. 7.0, reconfigure the inputs and it works... I can not explain and unfortunately cannot reproduce that behavior...

Thank you for your kind help.
Regards,
István

0 Karma
Reply

ikulcsar
Communicator
‎12-02-2017 01:21 AM

Hi,

Finally, I reinstall it from the scratch with Splunk Ent. 7.0, reconfigure the inputs and it works... I can not explain and unfortunately cannot reproduce that behavior...

Thank you for your kind help.
Regards,
István

0 Karma
Reply

harsmarvania57
Ultra Champion
‎11-29-2017 06:03 AM

Hi @ikulcsar,

Can you please check your inputs.conf configuration using btool $SPLUNK_HOME/bin/splunk cmd btool inputs --debug list and check whether sourcetype=syslog is assigned to your monitor stanza or not? If it is assigned then can you please try to restart splunkforwarder ?

0 Karma
Reply

ikulcsar
Communicator
‎11-29-2017 07:27 AM

Hi,
Thank you for your comment. Here is the output. I modified the monitor definition to be more specific, restart the full server, too. But no change.

/opt/splunk/etc/system/local/inputs.conf [monitor:///var/log/remotelogs//log///]
/opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunk/etc/system/local/inputs.conf host = shadow
/opt/splunk/etc/system/local/inputs.conf host_segment = 8
/opt/splunk/etc/system/local/inputs.conf index = default
/opt/splunk/etc/system/local/inputs.conf sourcetype = syslog

Any other idea?

Regards,
István

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...