I have set a inputs.conf stanza on my indexer that looks like this.
[tcp://10.X.X.X:1500] disabled = false index = blablabla sourcetype = webservers host = blablabla.bla.de
Everything seems to be fine. The data gets received and indexed correctly. It shows up with sourcetype="webservers" after searching.
But. I can't find the sourcetype "webservers" via splunk web.
I think I did something wrong and should have set the sourcetype via props.conf in the first place.
Can you give me an example of a stanza on how to set a sourcetype for a data-receiving via tcp:1500 in props.conf?
Thank you very much!
The most common reasons for this problem are
(1) Index "blablabla" is not searchable for your role by default. Try searching for
index=blablabla sourcetype=webservers or
(2) Your role has no access to index "blablabla" at all
The best place to set the sourcetype for an input is inputs.conf - you did exactly the right thing.
thank you for your reply. But unfortunately those two suggestions are not the case.
I'm logged in as the standard splunk admin user and I can search and have the right to view the index and the sourcetype.
Somehow I can't find the defined sourcetype via splunk web. Not on the SH, Master nor the indexer-peers.
When I do a grep -r "webservers" /splunk/ on one of the indexers if find the sourcetype in files like this:
/splunk/etc/slave-apps/_cluster/local/inputs.conf:sourcetype = webservers /splunk/etc/slave-apps/_cluster/local/props.conf:sourcetype=webservers
Do you any other idea, what could have gone wrong there?
I've noticed the strange behavior.
If I want to add data via splunk web I can find and select the sourcetype "webservers".
But if I go under settings -> sourcetypes I don't find "webservers" anywhere.
Maybe this is normal behavior, I'm just curious and confused.
The sourcetype must have been defined on Indexers, so there definition will not be available in Search Head's Splunk Web. Try to login to Splunk Web (if enabled) of Indexer OR just run btool on Indexer server for the sourcetype see the definition
splunk cmd btool props list webservers