Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where is the logtype source type defined?

DUThibault
Contributor
‎11-24-2017 07:20 AM

I've added a (universal) forwarder's local /var/log as a data input, specifying sourcetype = automatic. For audit.log, the indexed data are all marked with sourcetype=logtype, but logtype is not found in Settings: (Data) Source types. Where is logtype defined?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-25-2017 05:16 PM

OK, to set your sourcetype to automatic, you don't actually set your sourcetype at all, just leave completely out of your inputs.conf stanza definition. If you truly set sourcetype=automatic, then I would have expected that your sourcetype value would literally be the literal string automatic. I am unsure of how it could have come to be the literal string.

But let's back up. It is a generally poor practice to allow Splunk to decide what your sourcetypes are (should be). If you are going to start there, then turn it on, dump everything to a disposable index (like main) and then double-check everything. In all likelihood, it isn't going to tell you anything that you either didn't already know or wouldn't have immediately realized by glancing at your data. In any case, for *NIX files under /var/log/, splunk should do a find job of sourcetyping, if you set nothing at all.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-25-2017 05:16 PM

OK, to set your sourcetype to automatic, you don't actually set your sourcetype at all, just leave completely out of your inputs.conf stanza definition. If you truly set sourcetype=automatic, then I would have expected that your sourcetype value would literally be the literal string automatic. I am unsure of how it could have come to be the literal string.

But let's back up. It is a generally poor practice to allow Splunk to decide what your sourcetypes are (should be). If you are going to start there, then turn it on, dump everything to a disposable index (like main) and then double-check everything. In all likelihood, it isn't going to tell you anything that you either didn't already know or wouldn't have immediately realized by glancing at your data. In any case, for *NIX files under /var/log/, splunk should do a find job of sourcetyping, if you set nothing at all.

Reply
Solved! Jump to solution

DUThibault
Contributor
‎11-28-2017 11:04 AM

To sum up, any offending sourcetype will probably be caused by a sourcetype = <offending_type> stanza in [forwarding_system]/opt/splunkforwarder/etc/apps/search/local/inputs.conf. Comment out or delete the line (taking care to stop the forwarder before doing the edit, and restarting it afterwards), and the sourcetype will revert to automatic.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-24-2017 07:23 AM

Hi DUThibault,
see in Indexer.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

DUThibault
Contributor
‎11-24-2017 07:34 AM

Where, exactly? In Splunk Web, no Indexer to be found. Searching docs.splunk.com for "indexer source type" yields 90 hits but no obvious answer.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-24-2017 07:48 AM

Hi DUThibault,
what is your architecture? do you have an all-in-one server or do you have search Heads and Indexers?

Anyway, you can find in Splunk server (not Forwarders) sourcetypes in [Settings -- Source types].
I searched logtype in my installation and I didn't find it!

Pretrained sourcetypes are described in https://docs.splunk.com/Documentation/Splunk/7.0.0/Data/Listofpretrainedsourcetypes and http://docs.splunk.com/Documentation/Splunk/7.0.0/Data/Whysourcetypesmatter

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

DUThibault
Contributor
‎11-24-2017 08:02 AM

My architecture is minimalistic, with a single instance indexer and search head, fed by one or more universal forwarders.

logtype is not in the list of pre-trained source types, all of which are listed in Settings: (Data) Source types except in three cases: sugarcrm_log4php is absent, while websphere_trlog_syserr and websphere_trlog_sysout seem to have been merged into a single websphere_trlog source type. Could the 7.0.0 documentation pages be incorrect or out of date?

Note that splunk btool props list logtype returns nothing.

0 Karma
Reply
Solved! Jump to solution

DUThibault
Contributor
‎11-24-2017 09:20 AM

I've now scoured the instance's props.conf and inputs.conf as well as the forwarder's, and I found sourcetype = logtype in /opt/splunkforwarder/etc/apps/search/local/inputs.conf. This seems to be an artefact of how I first set up the forwarder (you can do splunk add monitor on the forwarder's system or you can configure the monitor from the Splunk instance, using Splunk Web; I should have done just the latter). Sure enough, stopping the forwarder, commenting out the sourcetype assignation and restarting the forwarder resulted in the sourcetype becoming linux_audit. Mystery solved!

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top