Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Sourcetype renaming itself!
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok. so i uploaded this log once.
let's call it logA.csv with sourcetype: temp
the monitor looks something like this: [ ...desktop\folder\logA.csv]
so ive done my field extractions and everything and am pretty confident to get on with monitoring the entire directory. so i changed my monitor in inputs.conf to:
[...desktop\folder\]
blacklist = *.xls
disabled = false
followTail = 0
sourcetype = temp
and restarted splunk.
now i have several sourcetypes inside: temp, temp-2, temp-3, temp-4
is there anyway to fix this? temp-2, temp-3, temp-4 doesnt show up in props.conf at all as well.
was there any step that went wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a known feature of how Splunk treats CSV files. By default it will look for a header and extract the fields from that.
If it finds files that differ a little bit in your directory, it will create a new sourcetype-n
There are a few posts here regarding this behaviour and how to fix it, here is one of them:
http://splunk-base.splunk.com/answers/24986/iis-log-fields-not-parsing
UPDATE:
You can rename sourcetypes as well, it will not really change things that are already indexed, but you can access them using the same sourcetype name in your searches.
http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Renamesourcetypes
Or you could use sourcetype=temp* in your searches.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a known feature of how Splunk treats CSV files. By default it will look for a header and extract the fields from that.
If it finds files that differ a little bit in your directory, it will create a new sourcetype-n
There are a few posts here regarding this behaviour and how to fix it, here is one of them:
http://splunk-base.splunk.com/answers/24986/iis-log-fields-not-parsing
UPDATE:
You can rename sourcetypes as well, it will not really change things that are already indexed, but you can access them using the same sourcetype name in your searches.
http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Renamesourcetypes
Or you could use sourcetype=temp* in your searches.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
see update above. /k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i see.
i deleted all the headers as the first time i indexed the file. they ran it in as an event line T_T
but i ensured the rest of the logs were the same format as the first after i extracted my own fields.
is there anyway to reverse it? i dont think i can simply reindex the same files now.
AI for AppInspect
App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community
Operationalizing Entity Risk Score with Enterprise Security 8.3+
