Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk initial indexing not behaving as expected

Branden
Builder
‎07-20-2011 07:05 AM

I'm setting up a fresh new Splunk server and am re-indexing my data from scratch.

Syslog data is being sent to my syslog-ng server/Splunk indexer via UDP 514. Rather than being sent directly to Splunk, I have the syslog data distributed to a file system/directory structure that I instruct Splunk to "monitor". (i.e. /logs/hostname/year/month/year/day/logfile)

My expectation was that the host name would be set to the hostname set in the path of the file directory structure, and that everything coming in from the syslog would be set to sourcetype "syslog". Accordingly, here is my inputs.conf:

 [monitor:///logs]
 disabled=false
 sourcetype=syslog
 host_segment=2
 blacklist=\.(bz2|gz)$

And 95% of my events are indexed correctly.

Unfortunately, a few of my events aren't setting the host name correctly; it's using the non-FQDN as indicated in the syslog event itself for some older events (legacy reasons) rather than the name specified in the /logs/hostname segment.

Also, most events are set to "syslog" as instructed in inputs.conf except for dhcp events which are being set to sourcetype "dhcpd". While technically accurate, it's not what I instructed Splunk to do in inputs.conf. I would have expected everything coming in from the /logs monitor to be set to sourcetype="syslog".

Is there a reason Splunk is over-riding my settings?

Thanks!

Tags (1)
Reply

woodcock
Esteemed Legend
‎05-28-2015 10:55 PM

A different configuration (inputs.conf) is looking at the same files but with a more specific path/file declaration. Try using btool to list out all inputs.conf settings.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...