Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is source type stuck on too_small?

tretrigh
Explorer
‎04-25-2023 07:12 AM

In our distributed enterprise Splunk environment we have a log file being generated on each Splunk host (indexers, search head, deployment server, etc) located at: /opt/splunk/var/log/splunk/foo.log

By default this gets logged to _internal using the foo-too_small source type.

We now want to change the source type to one we created (my:custom:sourcetype).  I have created the following props.conf file on the deployment server as a custom app and deployed successfully via apply cluster-bundle.  However, new log data is still being associated with the existing source type of foo-too_small.  We also set the local.meta file (under metadata) for permissions.

I have verified this file is making it to the indexers in peer-apps.

 

[my:custom:sourcetype]
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
MAX_TIMESTAMP_LOOKAHEAD = 25

[source::.../var/log/splunk/foo.log]
sourcetype = my:custom:sourcetype

 

Questions:

  1. Why isn't this working?
  2. What needs to be done instead to change to a custom source type?

Thank you in advance!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tretrigh
Explorer
‎04-25-2023 12:31 PM

Answering my own question here:

  1. Several indexers were not automatically getting the new source type applied for unknown reasons.  I was specifically looking at one which was not.  A reboot of each indexer missing the source type resolved the issue.  A splunkd restart would probably have been sufficient.  All indexers are working as intended.
  2. I added the app to each splunk host (SH, deployment server, etc) which defines the new source type.  A debug refresh populated the new source type correctly on each host.  I incorrectly assumed that the app's presence on the indexers would affect the data coming from each of the splunk hosts.

View solution in original post

Reply
Solved! Jump to solution
Solution

tretrigh
Explorer
‎04-25-2023 12:31 PM

Answering my own question here:

  1. Several indexers were not automatically getting the new source type applied for unknown reasons.  I was specifically looking at one which was not.  A reboot of each indexer missing the source type resolved the issue.  A splunkd restart would probably have been sufficient.  All indexers are working as intended.
  2. I added the app to each splunk host (SH, deployment server, etc) which defines the new source type.  A debug refresh populated the new source type correctly on each host.  I incorrectly assumed that the app's presence on the indexers would affect the data coming from each of the splunk hosts.
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-25-2023 11:46 PM

Hi @tretrigh ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-25-2023 08:19 AM

Hi @tretrigh,

check if in your forwarders, there's some input without sourcetype definition.

You can do it analyzing host and source values.

Assign the correct sourcetype to all your inputs.

ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

tretrigh
Explorer
‎04-25-2023 08:42 AM

Thank you for the reply.  Do you have any specific guidance on how to apply the correct source type to our data in our situation?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-25-2023 08:51 AM

Hi @tretrigh,

sometimes (I don't know why) there's some situation when in the add-on isn't defined the sourcetype, so Splunk automatuically assign the sourcetype based on its knowledge and sometimes it cannot find the correct one.

So analyze your logs where there's a too small sourcetype, find the Add-On with that input and manually assign the correct one in the add-on.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

tretrigh
Explorer
‎04-25-2023 08:57 AM

Thanks for the reply @gcusello .  In this situation there is no add on.  The log file on each Splunk host is generated by a script we wrote.  We have attempted to manually define the source type for this specific log unsuccessfully.  Do you have any suggestions for how to correctly manually define the source type other than what we've already done?  Thank you for the assistance!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2023 10:29 AM

Every Splunk input should have a sourcetype assigned to it.

Every sourcetype needs to be defined in a props.conf file.

Every props.conf stanza should have the "Great Eight" attributes, at a minimum.

[mysourcetype]
TIME_PREFIX = 
TIME_FORMAT = 
MAX_TIMESTAMP_LOOKAHEAD = 
TRUNCATE = 
SHOULD_LINEMERGE = false
LINE_BREAKER =
EVENT_BREAKER = 
EVENT_BREAKER_ENABLE = true

Set values for each attribute that correspond to the data being ingested.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tretrigh
Explorer
‎04-25-2023 08:40 AM

Thank you for the reply.  I might be missing something obvious, but unsure how any of these settings might help us reassign the source type to something else.  Could you please provide further elaboration?  Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...