Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the sourcetype not being considered?

andrewtrobec
Motivator
‎01-12-2022 11:46 AM

Hello!

I have a really simple unix based shell script that returns info about the httpd (Apache) service.  The script is encapsulated in an input, so the printf statement becomes the event.  Each event is one line only.

Here is an indexed event coming from the UF (with highlights that I will explain successively):

issue.png

For some reason the sourcetype is not working since _time is not what I specify, rather it is half from the field I want (timestamp in green) and half some text in the payload that i do not want (date in red).

The sourcetype is currently this (it has gone through many evolutions):

[linux:httpdinfo]
SHOULD_LINEMERGE = false
KV_MODE = auto
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_FORMAT = %Y-%m-%d %H:%M:%S %z

No matter what I try I cannot seem to get it to work.

Could somebody give me a push in the right direction?

Thanks!

Andrew

Labels (4)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2022 04:48 AM
@andrewtrobec wrote:

Potentially useful info: the sourcetype is defined in the props.conf belonging to the app that has been deployed to UF via DS.  It is not defined anywhere on the indexer that receives the data.  

There's the problem.  The props.conf settings must be on the indexer because it is there that timestamp extraction is done.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2022 12:31 PM

Is the sourcetype set correctly in inputs.conf?

Try this props.conf settings:

[linux:httpdinfo]
SHOULD_LINEMERGE = false
KV_MODE = auto
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_PREFIX = date="
TIME_FORMAT = %Y-%m-%d %H:%M:%S %z
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎01-13-2022 04:07 AM

@richgalloway Thanks for taking the time, hope you're well!

Unfortunately the suggestion does not work.  It continues to index as before.  Here is a tabled output with the indextime as well (timezone gets localized, I am on CET while raw is UTC):

Untitled.png

Potentially useful info: the sourcetype is defined in the props.conf belonging to the app that has been deployed to UF via DS.  It is not defined anywhere on the indexer that receives the data.  This same app contains the shell script as well as inputs.conf.

Best regards,

Andrew

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2022 04:48 AM
@andrewtrobec wrote:

Potentially useful info: the sourcetype is defined in the props.conf belonging to the app that has been deployed to UF via DS.  It is not defined anywhere on the indexer that receives the data.  

There's the problem.  The props.conf settings must be on the indexer because it is there that timestamp extraction is done.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎01-13-2022 05:33 AM

@richgalloway That did the trick.  Thanks Rich, appreciate your expert support as always ❤️

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top