Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Universal forwarder Sourcetype name changes itself

ea7777777
New Member
‎04-20-2020 06:20 AM

Hello,

a Universal Forwarder (7.0.1) is watches an textfile. The parameter are following:

[default]
host = RBD9EUFN

[monitor://C:\ProgramData\Cognex\In-Sight\Splunk\Log_Cam]
index = rbg_ff1_stand_allone_ant2
sourcetype = rbg_ff1_stand_allone_ant2_sourcetype

crcSalt = <SOURCE>
followTail = 1

The strange thing is, the sourcetype name changes itself! Why?

alt text

Preview file
171 KB
0 Karma
Reply

PavelP
Motivator
‎04-20-2020 07:05 AM

Hello @ea7777777 ,

are the log files in this folder being renamed? If yes, do they have the similar suffix (1-2-2-2)?

check on indexer (and on UF too, if you use INDEXED_EXTRACTIONS or local_processing) if there is any sourcetype renaming in any transforms.conf file:

on linux:

grep -Er MetaData:Sourcetype /opt/splunk/etc/*

on Windows:

findstr /s MetaData:Sourcetype c:\ProgramFiles\Splunk\etc\*

or by using btool

splunk btool transforms list --debug |grep MetaData:Sourcetype

splunk btool transforms list --debug |findstr MetaData:Sourcetype
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-20-2020 07:03 AM

The host name in your screen shot does not match the host name in your config.

---
If this reply helps you, Karma would be appreciated.
Reply

codebuilder
Influencer
‎04-20-2020 06:58 AM

Try this instead:

tstats count where index=rbg_ff1_stand_allone_ant2 by sourcetype
----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...