Getting Data In

Why am I not receiving any data from my new sourcetype in inputs.conf?

tc641
New Member

I have decided to use a different sourcetype for some logs which are already going into splunk (every 2 mins or so)

There is nothing wrong with my props.conf as the sourcetype is working for logs in different indexes in splunk.

inputs.conf:

[monitor://]
disabled = false
followTail = 0
index = index1
sourcetype = newsourcetype
ignoreOlderThan = 5d

After I changed the sourcetype in props.conf I ran splunk apply cluster-bundle and everything was good.
I then changed the sourcetype in inputs.conf to newsourcetype. I then restarted splunk.

About half an hour passes.

I check on splunk: index=index1 sourcetype=newsourcetype and there were no results.
However: index=index1 sourcetype=oldsourcetype showed that logs were coming in every two minutes.

Why would my change to the sourcetype in inputs.conf not take effect?

0 Karma

santiagoaloi
Path Finder

Just changing the sourcetype shouldn't be a problem, are you routing those events based on the sourcetype? in that case you might have to check if you have any transforms that you should also take into account. is your inputs.conf in a HF or UF?

0 Karma

tc641
New Member

Thanks for replying -- I'm just really confused now. I checked on the deployment server > forwarder management tab and it says my server class does not have any clients associated with it. I just really don't know how splunk could still be receiving logs (from a server which is not dialling into splunk ?!?!?
Anyway this is a different question so thank you for your help 🙂

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Maybe I'm misunderstanding, but you don't have to have a forwarder contact the DS for it to have data accepted by the indexers. There isn't a connection between the DS and the indexers to make that requirement even possible.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...