Getting Data In

Sourcetype not showing up properly.


I cleaned up some of the inputs on a Cisco ACS server to remove some commands that are no longer supported in 4.1. After making the modification to the various sources in inputs.conf, when I search on those sources, the sourcetype has a "-2" appended to it. So, TACACS_Failed_Attempts is showing up as TACACS_Failed_Attempts-2. This is throwing off all of my transforms because the sourcetype doesn't match. Why is Splunk doing this and what do I have to do to make it recognize the proper sourcetype?

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\Failed Attempts\Failed Attempts active.csv] disabled = false host = semvacs01 index = default sourcetype = TACACS_Failed_Attempts

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\Passed Authentications\Passed Authentications active.csv] disabled = false host = semvacs01 index = default sourcetype = TACACS_Passed_Authentications

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\TACACS+ Accounting\TACACS+ Accounting active.csv] disabled = false host = semvacs01 index = default sourcetype = TACACS_Accounting

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\TACACS+ Administration\Tacacs+ Administration active.csv] disabled = false host = semvacs01 index = default sourcetype = TACACS_Admin

[monitor://C:\Program Files\CiscoSecure ACS v4.1\Logs\AdminAudit\Administration Audit active.csv] disabled = false host = semvacs01 index = default sourcetype = ACS_Admin_Audit



Tags (1)
0 Karma

Path Finder

Hi jrodman,

I'm sorry but I didn't understand a word from your answer in regards to the problem. Why is this -2 showing up at the sourcetype and how do we get rid of it??? What has the extraction of fields to do with the fact that a sourcetype is being doubled??? I have the same phenomenon. I have cleared one index and reinstalled splunk on one of the clients and let it index again. And I have also the sourcetype with this -2 appended. Could you explain this in simplest words?? And how to get rid of it?


0 Karma

Splunk Employee
Splunk Employee

What were you upgrading from?

I thought the -2 artifact arrived in 4.0, but it might have been new with 4.1.

This is an artifact of CHECK_FOR_HEADER, which is sort of always on for csv files, even if they are given another sourcetype, at least with older versions of 4.1.

I'll have to refer to the specific bug, but i thought this would not happen for explicit sourcetype in 4.1.6. Do you expect to be able to get fields that are labelled by the headers of these files? If so you might need this code enabled, and perhaps sourcetype aliasing is the best solution.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...