Getting Data In

Sourcetype not showing up properly.

jambajuice
Communicator

I cleaned up some of the inputs on a Cisco ACS server to remove some commands that are no longer supported in 4.1. After making the modification to the various sources in inputs.conf, when I search on those sources, the sourcetype has a "-2" appended to it. So, TACACS_Failed_Attempts is showing up as TACACS_Failed_Attempts-2. This is throwing off all of my transforms because the sourcetype doesn't match. Why is Splunk doing this and what do I have to do to make it recognize the proper sourcetype?

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\Failed Attempts\Failed Attempts active.csv] disabled = false host = semvacs01 index = default sourcetype = TACACS_Failed_Attempts

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\Passed Authentications\Passed Authentications active.csv] disabled = false host = semvacs01 index = default sourcetype = TACACS_Passed_Authentications

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\TACACS+ Accounting\TACACS+ Accounting active.csv] disabled = false host = semvacs01 index = default sourcetype = TACACS_Accounting

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\TACACS+ Administration\Tacacs+ Administration active.csv] disabled = false host = semvacs01 index = default sourcetype = TACACS_Admin

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\AdminAudit\Administration Audit active.csv] disabled = false host = semvacs01 index = default sourcetype = ACS_Admin_Audit

Thanks.

Craig

Tags (1)
0 Karma

tzhmaba2
Path Finder

Hi jrodman,

I'm sorry but I didn't understand a word from your answer in regards to the problem. Why is this -2 showing up at the sourcetype and how do we get rid of it??? What has the extraction of fields to do with the fact that a sourcetype is being doubled??? I have the same phenomenon. I have cleared one index and reinstalled splunk on one of the clients and let it index again. And I have also the sourcetype with this -2 appended. Could you explain this in simplest words?? And how to get rid of it?

Regards

0 Karma

jrodman
Splunk Employee
Splunk Employee

What were you upgrading from?

I thought the -2 artifact arrived in 4.0, but it might have been new with 4.1.

This is an artifact of CHECK_FOR_HEADER, which is sort of always on for csv files, even if they are given another sourcetype, at least with older versions of 4.1.

I'll have to refer to the specific bug, but i thought this would not happen for explicit sourcetype in 4.1.6. Do you expect to be able to get fields that are labelled by the headers of these files? If so you might need this code enabled, and perhaps sourcetype aliasing is the best solution.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...