Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why are my source types missing after upgrading to Splunk Enterprise 7.2?

asherer_splunk
Splunk Employee
Splunk Employee
‎11-06-2018 05:45 AM

Upgraded search head to 7.2, and whenever I search for logs, the majority of source types appear to be missing from the list of available source types.

If I do a search for a particular source, and add "| fields host source sourcetype", the source type is not returned.

If I do a metadata search, or a search from my cluster master for the data, the source types are returned fine. This seems to be a problem only with my upgraded search head.

Reply
1 Solution
Solved! Jump to solution
Solution

asherer_splunk
Splunk Employee
Splunk Employee
‎11-06-2018 05:48 AM

Upon reviewing configs, there were stanzas in ..etc/search/local/props.conf and ..etc/system/local/props.conf like this:

[host::t*]
FIELDALIAS-t*_sourcedFrom_as_sourcetype = sourcedFrom AS sourcetype sourcedfrom AS sourcetype

[host::pcf]
FIELDALIAS-pcf_Stacktrace_as_StackTrace = Stacktrace AS StackTrace
FIELDALIAS-pcf_sourcedFrom_as_sourcetype = sourcedFrom AS sourcetype sourcedfrom AS sourcetype

[host::*]
FIELDALIAS-allhost_sourcedFrom_as_sourcetype = sourcedFrom AS sourcetype sourcedfrom AS sourcetype

Field aliasing has been changed in 7.2 and these entries broke sourcetypes on the production search head. Once they were removed, and the search head was restarted, the problem was fixed.

View solution in original post

Reply
Solved! Jump to solution
Solution

asherer_splunk
Splunk Employee
Splunk Employee
‎11-06-2018 05:48 AM

Upon reviewing configs, there were stanzas in ..etc/search/local/props.conf and ..etc/system/local/props.conf like this:

[host::t*]
FIELDALIAS-t*_sourcedFrom_as_sourcetype = sourcedFrom AS sourcetype sourcedfrom AS sourcetype

[host::pcf]
FIELDALIAS-pcf_Stacktrace_as_StackTrace = Stacktrace AS StackTrace
FIELDALIAS-pcf_sourcedFrom_as_sourcetype = sourcedFrom AS sourcetype sourcedfrom AS sourcetype

[host::*]
FIELDALIAS-allhost_sourcedFrom_as_sourcetype = sourcedFrom AS sourcetype sourcedfrom AS sourcetype

Field aliasing has been changed in 7.2 and these entries broke sourcetypes on the production search head. Once they were removed, and the search head was restarted, the problem was fixed.

Reply
Solved! Jump to solution

jpvalenc
Path Finder
‎01-16-2020 06:23 PM

Hello,

I know this question has been a while but what exactly is wrong with those FIELDALIAS entries? We seem to have encountered the same error upgrading from 7.1.4 to 7.3.2.

0 Karma
Reply
Solved! Jump to solution

jpvalenc
Path Finder
‎01-16-2020 08:21 PM

Thank you very much. That explains it better. 🙂

0 Karma
Reply
Solved! Jump to solution

buysse
Explorer
‎11-10-2018 04:53 PM

Was there anything in the documentation about this change? It kind of seems like a big one, and I don't see anything in upgrade notes or anything in the release notes, and it's kind of biting me right now.

0 Karma
Reply
Solved! Jump to solution

asherer_splunk
Splunk Employee
Splunk Employee
‎11-13-2018 05:59 AM

I am pushing internally to have something added to the documentation about this, as I believe you are correct and currently there is nothing that denotes this change.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...