Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I not receiving any data from my new sourcetype in inputs.conf?

tc641
New Member
‎08-11-2017 04:12 AM

I have decided to use a different sourcetype for some logs which are already going into splunk (every 2 mins or so)

There is nothing wrong with my props.conf as the sourcetype is working for logs in different indexes in splunk.

inputs.conf:

[monitor://]
disabled = false
followTail = 0
index = index1
sourcetype = newsourcetype
ignoreOlderThan = 5d

After I changed the sourcetype in props.conf I ran splunk apply cluster-bundle and everything was good.
I then changed the sourcetype in inputs.conf to newsourcetype. I then restarted splunk.

About half an hour passes.

I check on splunk: index=index1 sourcetype=newsourcetype and there were no results.
However: index=index1 sourcetype=oldsourcetype showed that logs were coming in every two minutes.

Why would my change to the sourcetype in inputs.conf not take effect?

0 Karma
Reply

santiagoaloi
Path Finder
‎08-11-2017 04:45 AM

Just changing the sourcetype shouldn't be a problem, are you routing those events based on the sourcetype? in that case you might have to check if you have any transforms that you should also take into account. is your inputs.conf in a HF or UF?

0 Karma
Reply

tc641
New Member
‎08-11-2017 05:36 AM

Thanks for replying -- I'm just really confused now. I checked on the deployment server > forwarder management tab and it says my server class does not have any clients associated with it. I just really don't know how splunk could still be receiving logs (from a server which is not dialling into splunk ?!?!?
Anyway this is a different question so thank you for your help 🙂

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎08-11-2017 06:51 AM

Maybe I'm misunderstanding, but you don't have to have a forwarder contact the DS for it to have data accepted by the indexers. There isn't a connection between the DS and the indexers to make that requirement even possible.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...