Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sourcetype not showing up properly.

jambajuice
Communicator
‎01-26-2011 08:47 PM

I cleaned up some of the inputs on a Cisco ACS server to remove some commands that are no longer supported in 4.1. After making the modification to the various sources in inputs.conf, when I search on those sources, the sourcetype has a "-2" appended to it. So, TACACS_Failed_Attempts is showing up as TACACS_Failed_Attempts-2. This is throwing off all of my transforms because the sourcetype doesn't match. Why is Splunk doing this and what do I have to do to make it recognize the proper sourcetype?

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\Failed Attempts\Failed Attempts active.csv] disabled = false host = semvacs01 index = default sourcetype = TACACS_Failed_Attempts

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\Passed Authentications\Passed Authentications active.csv] disabled = false host = semvacs01 index = default sourcetype = TACACS_Passed_Authentications

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\TACACS+ Accounting\TACACS+ Accounting active.csv] disabled = false host = semvacs01 index = default sourcetype = TACACS_Accounting

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\TACACS+ Administration\Tacacs+ Administration active.csv] disabled = false host = semvacs01 index = default sourcetype = TACACS_Admin

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\AdminAudit\Administration Audit active.csv] disabled = false host = semvacs01 index = default sourcetype = ACS_Admin_Audit

Thanks.

Craig

Tags (1)
0 Karma
Reply

tzhmaba2
Path Finder
‎02-01-2011 10:14 AM

Hi jrodman,

I'm sorry but I didn't understand a word from your answer in regards to the problem. Why is this -2 showing up at the sourcetype and how do we get rid of it??? What has the extraction of fields to do with the fact that a sourcetype is being doubled??? I have the same phenomenon. I have cleared one index and reinstalled splunk on one of the clients and let it index again. And I have also the sourcetype with this -2 appended. Could you explain this in simplest words?? And how to get rid of it?

Regards

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎01-27-2011 06:23 AM

What were you upgrading from?

I thought the -2 artifact arrived in 4.0, but it might have been new with 4.1.

This is an artifact of CHECK_FOR_HEADER, which is sort of always on for csv files, even if they are given another sourcetype, at least with older versions of 4.1.

I'll have to refer to the specific bug, but i thought this would not happen for explicit sourcetype in 4.1.6. Do you expect to be able to get fields that are labelled by the headers of these files? If so you might need this code enabled, and perhaps sourcetype aliasing is the best solution.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...