Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I having sourcetype override problems when trying to monitor a log directory for a custom application?

bdf0506
Path Finder
‎08-26-2018 05:09 PM

I have the universal forwarder installed on a Windows 2012 server. I am trying to monitor a log directory for a custom application. The application creates a new log file for each month, so I have many text files in the folder that look like 201808.txt, 201807.txt, 201806.txt, etc.

When I monitor the directory, instead of hardcoding the sourcetype that I am telling splunk to do, it is instead setting the sourcetype to the filename. How can I fix this?

On the Windows Server, inputs.conf:

[monitor://C:\BlueIris\log]
disabled = false
sourcetype = blueiris

On the indexer, props.conf:

[blueiris]
sourcetype = blueiris
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bdf0506
Path Finder
‎08-27-2018 08:36 AM

I got to the bottom of this.

My original post was actually correct, but I had it in the wrong place, as I was erroneously placing this in $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/local/inputs.conf when it needed to be in $SPLUNK_HOME/etc/apps/search/inputs.conf. You don't need a props.conf defined on either the Windows host or the main Indexer for this to work.

[monitor://C:\BlueIris\log\]
disabled = false
sourcetype = blueiris

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bdf0506
Path Finder
‎08-27-2018 08:36 AM

I got to the bottom of this.

My original post was actually correct, but I had it in the wrong place, as I was erroneously placing this in $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/local/inputs.conf when it needed to be in $SPLUNK_HOME/etc/apps/search/inputs.conf. You don't need a props.conf defined on either the Windows host or the main Indexer for this to work.

[monitor://C:\BlueIris\log\]
disabled = false
sourcetype = blueiris
0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-26-2018 05:36 PM

The second stanza is redundant. There is no reason to assign sourcetype blueiris to something that comes in as sourcetype blueiris.

Also, sourcetype is not one of the keywords for a monitor stanza.

Try it without assigning sourcetype in that first stanza at all...

...and add a props.conf stanza that sets the sourcetype based on the source, like this...

 [source:://C:\BlueIris\log*]
  sourcetype = blueiris
0 Karma
Reply
Solved! Jump to solution

bdf0506
Path Finder
‎08-26-2018 06:09 PM

No change.

I first removed this from props.conf on the INDEXER:

 [blueiris]
 sourcetype = blueiris

Then, I changed the inputs.conf on the Windows Unviersal Forwarder to this:

 [monitor://C:\BlueIris\log]
 disabled = false

And then I added a props.conf file on Windows that shows this:

[source:://C:\BlueIris\log*]
sourcetype = blueiris

But after doing all that, it still is being tagged with the incorrect sourcetype.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
li.common.scroll-to.top