Getting Data In

Why is the sourcetype not being considered?

andrewtrobec
Builder

Hello!

I have a really simple unix based shell script that returns info about the httpd (Apache) service.  The script is encapsulated in an input, so the printf statement becomes the event.  Each event is one line only.

Here is an indexed event coming from the UF (with highlights that I will explain successively):

issue.png

For some reason the sourcetype is not working since _time is not what I specify, rather it is half from the field I want (timestamp in green) and half some text in the payload that i do not want (date in red).

The sourcetype is currently this (it has gone through many evolutions):

[linux:httpdinfo]
SHOULD_LINEMERGE = false
KV_MODE = auto
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_FORMAT = %Y-%m-%d %H:%M:%S %z

No matter what I try I cannot seem to get it to work.

Could somebody give me a push in the right direction?

Thanks!

Andrew

Labels (4)
Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

@andrewtrobec wrote:

Potentially useful info: the sourcetype is defined in the props.conf belonging to the app that has been deployed to UF via DS.  It is not defined anywhere on the indexer that receives the data.  

There's the problem.  The props.conf settings must be on the indexer because it is there that timestamp extraction is done.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Is the sourcetype set correctly in inputs.conf?

Try this props.conf settings:

[linux:httpdinfo]
SHOULD_LINEMERGE = false
KV_MODE = auto
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_PREFIX = date="
TIME_FORMAT = %Y-%m-%d %H:%M:%S %z
---
If this reply helps you, an upvote would be appreciated.
0 Karma

andrewtrobec
Builder

@richgalloway Thanks for taking the time, hope you're well!

Unfortunately the suggestion does not work.  It continues to index as before.  Here is a tabled output with the indextime as well (timezone gets localized, I am on CET while raw is UTC):

Untitled.png

Potentially useful info: the sourcetype is defined in the props.conf belonging to the app that has been deployed to UF via DS.  It is not defined anywhere on the indexer that receives the data.  This same app contains the shell script as well as inputs.conf.

Best regards,

Andrew

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

@andrewtrobec wrote:

Potentially useful info: the sourcetype is defined in the props.conf belonging to the app that has been deployed to UF via DS.  It is not defined anywhere on the indexer that receives the data.  

There's the problem.  The props.conf settings must be on the indexer because it is there that timestamp extraction is done.

---
If this reply helps you, an upvote would be appreciated.

andrewtrobec
Builder

@richgalloway That did the trick.  Thanks Rich, appreciate your expert support as always ❤️

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...