Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the Sourcetype Not Showing Up?

MollyDS
Explorer
‎08-10-2016 08:36 AM

So I noticed today for whatever reason that my graphs were not giving up to date information. I looked into the issue and it turns out that my source was no longer having the information pumped into it. It does catch everything even if the log file changes names because I have it set up with a wildcard.

But what was even weirder is that the information was showing up in the Source, and some information was being sent to the sourcetype but not the information that would fill in my graphs.

So the information is there and I can technically change the Sourcetype to the source to get my graphs, but I want to know why it did that. The only thing that I did yesterday to Splunk was set up an Alert that would send out one email to me when a certain number for a name value pair was reached on the system. The alert was actually pulling on that Sourcetype but I set up that Alert ~8 hrs before the information stopped showing up. It wasn't doing the alert real time either just every hour.

I no longer have the alert either because I deleted it earlier this morning when I realized that it didn't do what I want, this was before I realized I had the problem a I do now.

Labels (2)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎08-12-2016 11:54 AM

I suspect that your searches are not fully qualified with index= and sourcetype= everywhere. Because of this, you are wide open to your searches being qualified by role settings (e.g. Indexes searched by default). Try using index=<something> everywhere.

Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-10-2016 08:46 AM

So you're saying that the events coming in no longer have the sourcetype you specified in the inputs.conf?

First I would verify that this is generating log data. You should then verify your forwarder service is turned on. You should then look on your inputs.conf file on the forwarder and verify that you specified the sourcetype in there. If all these are good then I would try to restart your forwarder service by going into /splunk/bin and doing a /splunk restart

How many forwarders do you have with this specified sourcetype?

Reply

jkat54
SplunkTrust
SplunkTrust
‎08-10-2016 08:52 AM

Just to add a bit here... you might have new outputs.conf settings that are sending the data to a different location now.

I recommend using ./splunk cmd btool outputs list --debug to verify your outputs if none of the above works.

Reply

yr
Loves-to-Learn Everything
‎08-28-2023 02:27 PM

i had similar issue.   i created new index for my windows servers and define the sourcetype in inputs.conf and deploy the _TA_Windows apps search works fine but source type and source are interchanged.

any thoughts ?

 

0 Karma
Reply

KaraD
Community Manager
Community Manager
‎08-29-2023 09:17 AM

Hi! Kara here, Splunk Community Manager. Thanks for your question, but I see this post is from 2016. I recommend you post a new question to gain more visibility and current answers.

 

Cheers!

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...