Getting Data In
Highlighted

Where to re-define a sourcetype when accidentally set wrong in inputs.conf

SplunkTrust
SplunkTrust

Hi,

I have set a inputs.conf stanza on my indexer that looks like this.

[tcp://10.X.X.X:1500]
disabled = false
index = blablabla
sourcetype = webservers
host = blablabla.bla.de

Everything seems to be fine. The data gets received and indexed correctly. It shows up with sourcetype="webservers" after searching.

But. I can't find the sourcetype "webservers" via splunk web.
I think I did something wrong and should have set the sourcetype via props.conf in the first place.


Can you give me an example of a stanza on how to set a sourcetype for a data-receiving via tcp:1500 in props.conf?


Thank you very much!

Kind regards,
pyro_wood

0 Karma
Highlighted

Re: Where to re-define a sourcetype when accidentally set wrong in inputs.conf

Legend

The most common reasons for this problem are

(1) Index "blablabla" is not searchable for your role by default. Try searching for index=blablabla sourcetype=webservers or index=* sourcetype=webservers
(2) Your role has no access to index "blablabla" at all

The best place to set the sourcetype for an input is inputs.conf - you did exactly the right thing.

0 Karma
Highlighted

Re: Where to re-define a sourcetype when accidentally set wrong in inputs.conf

SplunkTrust
SplunkTrust

Hi Iguinn,

thank you for your reply. But unfortunately those two suggestions are not the case.

I'm logged in as the standard splunk admin user and I can search and have the right to view the index and the sourcetype.
Somehow I can't find the defined sourcetype via splunk web. Not on the SH, Master nor the indexer-peers.

When I do a grep -r "webservers" /splunk/ on one of the indexers if find the sourcetype in files like this:

/splunk/etc/slave-apps/_cluster/local/inputs.conf:sourcetype = webservers
/splunk/etc/slave-apps/_cluster/local/props.conf:sourcetype=webservers

....

Do you any other idea, what could have gone wrong there?
Thanks again!

0 Karma
Highlighted

Re: Where to re-define a sourcetype when accidentally set wrong in inputs.conf

SplunkTrust
SplunkTrust

Hi Iguinn,

I've noticed the strange behavior.
If I want to add data via splunk web I can find and select the sourcetype "webservers".
But if I go under settings -> sourcetypes I don't find "webservers" anywhere.

Maybe this is normal behavior, I'm just curious and confused.

0 Karma
Highlighted

Re: Where to re-define a sourcetype when accidentally set wrong in inputs.conf

SplunkTrust
SplunkTrust

The sourcetype must have been defined on Indexers, so there definition will not be available in Search Head's Splunk Web. Try to login to Splunk Web (if enabled) of Indexer OR just run btool on Indexer server for the sourcetype see the definition

splunk cmd btool props list webservers
0 Karma
Highlighted

Re: Where to re-define a sourcetype when accidentally set wrong in inputs.conf

SplunkTrust
SplunkTrust

Thank you, I'll try it out 🙂

0 Karma