Getting Data In

disable learned sourcetype

ray88
New Member

I am using Splunk universal forwarder 8.1.1 on a linux server configured as a log aggregator.  I have 7 well defined sourcetypes defined on inputs.conf based on log files in the following directories: /var/log/remote/LINUX, /var/log/remote/NETWORK, /var/log/remote/VMWARE.

 

inputs.conf for LINUX directory

[monitor:///var/log/remote/LINUX/*.log

host_regex = LINUX\/(.+)_.+\.log

index=linux-log

sourcetype=linux-messages

disabled = 0

 

When I do a search I see sourcetypes like (in addition to ones defined in inputs.conf)

cron

cron-4

syslog

cisco-4

I traced these back to learned sourcetypes.  The ciso-r sourcetype is looking at a file in /var/log/remote.  Given the sourcetypes I have defined I would not expect any visibility into that directory.

Is there a way to disable the learned sourcetypes? Or whitelist the ones I want?

 

Labels (2)
0 Karma

esalesapns2
Communicator

I tried creating a default app.conf file with the stanza:

[install]
state = disabled

but it didn't disable the app.

Then I removed the app from etc/apps altogether, but it came back.

We run splunk as user "splunk" so then I removed the app and created a directory etc/apps/learned owned by root with permissions 500 (r-x------) so splunk couldn't recreate it.  That worked.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Sourcetypes are defined in props.conf, not in inputs.conf.  The sourcetype=foo setting in inputs.conf just tells Splunk which props.conf stanza to apply to the data from that input.  If there is no such stanza in props.conf then it becomes a learned sourcetype (and probably learned incorrectly).

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...