Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the sourcetype not being considered?

andrewtrobec
Motivator
‎01-12-2022 11:46 AM

Hello!

I have a really simple unix based shell script that returns info about the httpd (Apache) service.  The script is encapsulated in an input, so the printf statement becomes the event.  Each event is one line only.

Here is an indexed event coming from the UF (with highlights that I will explain successively):

issue.png

For some reason the sourcetype is not working since _time is not what I specify, rather it is half from the field I want (timestamp in green) and half some text in the payload that i do not want (date in red).

The sourcetype is currently this (it has gone through many evolutions):

[linux:httpdinfo]
SHOULD_LINEMERGE = false
KV_MODE = auto
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_FORMAT = %Y-%m-%d %H:%M:%S %z

No matter what I try I cannot seem to get it to work.

Could somebody give me a push in the right direction?

Thanks!

Andrew

Labels (4)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2022 04:48 AM
@andrewtrobec wrote:

Potentially useful info: the sourcetype is defined in the props.conf belonging to the app that has been deployed to UF via DS.  It is not defined anywhere on the indexer that receives the data.  

There's the problem.  The props.conf settings must be on the indexer because it is there that timestamp extraction is done.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2022 12:31 PM

Is the sourcetype set correctly in inputs.conf?

Try this props.conf settings:

[linux:httpdinfo]
SHOULD_LINEMERGE = false
KV_MODE = auto
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_PREFIX = date="
TIME_FORMAT = %Y-%m-%d %H:%M:%S %z
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎01-13-2022 04:07 AM

@richgalloway Thanks for taking the time, hope you're well!

Unfortunately the suggestion does not work.  It continues to index as before.  Here is a tabled output with the indextime as well (timezone gets localized, I am on CET while raw is UTC):

Untitled.png

Potentially useful info: the sourcetype is defined in the props.conf belonging to the app that has been deployed to UF via DS.  It is not defined anywhere on the indexer that receives the data.  This same app contains the shell script as well as inputs.conf.

Best regards,

Andrew

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2022 04:48 AM
@andrewtrobec wrote:

Potentially useful info: the sourcetype is defined in the props.conf belonging to the app that has been deployed to UF via DS.  It is not defined anywhere on the indexer that receives the data.  

There's the problem.  The props.conf settings must be on the indexer because it is there that timestamp extraction is done.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎01-13-2022 05:33 AM

@richgalloway That did the trick.  Thanks Rich, appreciate your expert support as always ❤️

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...