Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sourcetype not changing for windows application logs

jericksonpf
Path Finder
‎08-28-2013 02:52 PM

I have a universal forwarder sending the application logs for a windows 2003 server we have that only runs one application.

Here is what my inputs.conf stanza looks like:

[WinEventLog:Application]
index=radical_index
sourcetype=bizznezz

However the logs show up in splunk as WinEventLog:Application no matter how many times i restart the service.

Interestingly as a test i changed the hostname on the inputs.conf and that change was immediately reflected

Tags (2)
0 Karma
Reply

lukejadamec
Super Champion
‎08-28-2013 04:57 PM

It sounds like one of your other apps is mining data and tagging it with the windows application source type.

If your bizznezz sourcetype has data, then you really are asking how to stop the other apps from also sourcetyping this data.

0 Karma
Reply

lukejadamec
Super Champion
‎09-04-2013 11:55 AM

I'm pretty sure the stanza you're looking for is in splunk/etc/apps/windows/default/eventgen/transforms.conf
But I don't know how to change it to make it stop tagging your logs.
I still don't really understand, why is it a problem to have them all tagged with the application sourcetype?

0 Karma
Reply

jericksonpf
Path Finder
‎09-04-2013 11:32 AM

where do i check whcih apps are sourcetyping? do i have to looks at the props.conf for each app? Doesn't splunk itself autmatically generate fields

0 Karma
Reply

jericksonpf
Path Finder
‎08-28-2013 03:25 PM

yes they are receiving events. These are biztalk logs

0 Karma
Reply

lukejadamec
Super Champion
‎08-28-2013 03:19 PM

What windows related apps do you have installed on the forwarder and indexer?

Also, is the sourcetype bizznezz populated with the data?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...