Getting Data In

Universal Forwarder app not going to correct index or sourcetype

Branden
Builder

I'm trying to do what has always been a routine task for me: I'm indexing data as specified in inputs.conf on a Universal Forwarder. I want force the sourcetype and the target index. I have done this many times in the past, but for some reason it's not working for me this time. The notable difference is that I'm new to v6.X... I've been using 5.0.X until recently.

Here is my inputs.conf on the UF:

[monitor:///var/log/celery/*]
index = perma
sourcetype = celery
disabled = 0

[monitor:///var/log/gunicorn/*]
index = perma
sourcetype = gunicorn
disabled = 0

[monitor:///var/log/nginx/*]
index = perma
sourcetype = nginx_access
disabled = 0

[monitor:///var/log/rabbitmq/*]
index = perma
sourcetype = rabbitmq
disabled = 0

The inputs.conf looks okay, but it's putting the data in the "main" index, and coming up with its own sourcetypes instead of the sourcetype I provided.

I ran the btool command as instructed in similar posts. Everything looks fine there.

Am I missing something silly here?

Thanks!

0 Karma

dkuk
Path Finder

Hi,

The indexes are definitely created on the indexer(s) already right? (have to ask just in case).

So does the output of the following command from $SPLUNK_HOME$/bin folder have the index and sourcetype set as desired? Sounds like you have checked this bit but just checking for this exact usage.

./splunk cmd btool inputs list --debug

Have you got any props and transforms on the indexer that could be overriding the index and sourcetype to the wrong values? I.e. if you run ./splunk cmd btool props list --debug is there anything picking up that folder/source and overriding the index and/or sourcetype. What's the sourcetype being set to for a given example from the inputs.conf above.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...