Sourcetypes "cross polinating"

brent_weaver · ‎07-01-2017

I am having an issue with Splunk where the sourcetypes are getting mixed up between actualy sources. For example I have a source called caasraw and cf_raw. Events from caasraw get mixed up with cf_raw and vise versa. I am wondering if there is anything in the config that could cause this. I realize that I a REALLY big question but I am wondering if anyone has an initial thoughts.

I should mention that we are going from fluentd to HEC and in fluentd are leveraging the tagging system to pass in splunk metadata, sourcetype, index etc... This my likely be the problem because we are not using the Treasure Data version, instead the open source version.

I am hoping that someone at least has a suggestion on how to initially approach this issue.

Thanks!

sbbadri · ‎07-05-2017

I hope below link helps you,

http://docs.splunk.com/Documentation/Splunk/6.6.2/RESTREF/RESTinput# - data/inputs/udp/{name} or data/inputs/udp/

woodcock · ‎07-01-2017

Remember btool is your friend.

brent_weaver · ‎07-05-2017

Hey there - I was looking at btool but cannot find the right combo of commands to show me the transforms and props. I have been suspect that the config (somewhere) is causing this. I am concerned that the transforms stanza name is being reused on multiple sourcetypes. What that cause this to happen?

gcusello · ‎07-01-2017

Hi brent_weaver,
could you share your inputs.conf?
bye.
Giuseppe

brent_weaver · ‎07-05-2017

There is no inputs.conf since this is going through fluentd's syslog input. We use it as a syslog aggregation point.

Sourcetypes "cross polinating"

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?