What does the view Settings -> Sourcetypes (Under ...

Getting Data In

Hi,

I am working on troubleshooting one issue where data from a particular sourcetype is not getting parsed correctly. Came across this page under Settings -> Sourcetypes and want to understand what exactly is it tell us? When I see the sourcetypes listed on this page, there are several missing even though we can see data in Splunk for those sourcetypes. If I do index=* | stats count by sourcetype all of them are listed but many from that list wont show up on that page. Check on both searchhead & indexer but same results.

e.g. We are getting Windows Event log data from the 4 common sources, i.e. Application, Security, System and Setup. But When I check under Settings -> sourcetypes, only Application and Security are listed and the app assigned to them is splunk_app_windows_infrastructure. What happened to the other two sourcetypes (System/Setup) for which we are getting data?

But we are getting data for all the sources.

Thanks,

~ Abhi

6 KB

4 KB

Get Updates on the Splunk Community!

What does the view Settings -> Sourcetypes (Under Data Section) tells us?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation