Solved: Using sourcetype in input.conf in Batch mode doesn...

robsenk · ‎09-25-2013

I noticed that source is not available in the Batch mode unlike the monitor mode. I wonder if the same applies to sourcetypes? It wasn't explicitly mentioned in the docs.

lguinn2 · ‎09-25-2013

I have used sourcetype with batch inputs. Here is an example that works

[batch://myinputdirectory]
move_policy = sinkhole
index = xyz
sourcetype = xyz

View solution in original post

robsenk · ‎09-25-2013

I have confirmed this to work in Splunk 5.0.4 build 172409. I will upgrade.

lguinn2 · ‎09-25-2013

I have used sourcetype with batch inputs. Here is an example that works

[batch://myinputdirectory]
move_policy = sinkhole
index = xyz
sourcetype = xyz

robsenk · ‎09-26-2013

We upgraded but I believe the fix was from simplifying the transforms.conf. I found I didn't have the exact same environment on my test box. Thanks for you help.

lguinn2 · ‎09-25-2013

Worked for me in several versions...

Do you have a typo somewhere? You might want to check everything one more time before you upgrade!

robsenk · ‎09-25-2013

Ok... that's what I have as well. I will go dig further. I should have listed the build we use. version 5.0.3, build 163460. Thanks for comment.

Using sourcetype in input.conf in Batch mode doesn't appear to work

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?