Sourcetype missing

pratapa · ‎03-13-2020

We noticed that one of the sourcetype "wms_oracle_sessions" is missing.

when we search the following queries, no results found.

index=main sourcetype=wms_oracle_sessions

sourcetype=wms_oracle_sessions

due to which the following query is not displaying any events. No results found.

How can we proceed further to get this work?

Can we recreate the sourcetype?
If we recreate the sourcetype, will the data be displayed?

codebuilder · ‎03-16-2020

If you created the sourcetype via the web ui, note that it is not implemented in that process. You need to copy the output of the generated props.conf and copy it to the file itself, then cycle Splunk for it to take effect. Additionally, in order for your sourcetypes to be applied at search time, you must be searching within the context of the app to which it was applied.

----
An upvote would be appreciated and Accept Solution if it helps!

Sourcetype missing

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Sourcetype missing

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future