Re: disable learned sourcetype

ray88 · ‎11-24-2021

I am using Splunk universal forwarder 8.1.1 on a linux server configured as a log aggregator. I have 7 well defined sourcetypes defined on inputs.conf based on log files in the following directories: /var/log/remote/LINUX, /var/log/remote/NETWORK, /var/log/remote/VMWARE.

inputs.conf for LINUX directory

[monitor:///var/log/remote/LINUX/*.log

host_regex = LINUX\/(.+)_.+\.log

index=linux-log

sourcetype=linux-messages

disabled = 0

When I do a search I see sourcetypes like (in addition to ones defined in inputs.conf)

cron

cron-4

syslog

cisco-4

I traced these back to learned sourcetypes. The ciso-r sourcetype is looking at a file in /var/log/remote. Given the sourcetypes I have defined I would not expect any visibility into that directory.

Is there a way to disable the learned sourcetypes? Or whitelist the ones I want?

esalesapns2 · ‎10-09-2024

I tried creating a default app.conf file with the stanza:

[install]
state = disabled

but it didn't disable the app.

Then I removed the app from etc/apps altogether, but it came back.

We run splunk as user "splunk" so then I removed the app and created a directory etc/apps/learned owned by root with permissions 500 (r-x------) so splunk couldn't recreate it. That worked.

richgalloway · ‎11-24-2021

Sourcetypes are defined in props.conf, not in inputs.conf. The sourcetype=foo setting in inputs.conf just tells Splunk which props.conf stanza to apply to the data from that input. If there is no such stanza in props.conf then it becomes a learned sourcetype (and probably learned incorrectly).

---
If this reply helps you, Karma would be appreciated.

disable learned sourcetype

sourcetype

universal forwarder

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?