Re: disable learned sourcetype

ray88 · ‎11-24-2021

I am using Splunk universal forwarder 8.1.1 on a linux server configured as a log aggregator. I have 7 well defined sourcetypes defined on inputs.conf based on log files in the following directories: /var/log/remote/LINUX, /var/log/remote/NETWORK, /var/log/remote/VMWARE.

inputs.conf for LINUX directory

[monitor:///var/log/remote/LINUX/*.log

host_regex = LINUX\/(.+)_.+\.log

index=linux-log

sourcetype=linux-messages

disabled = 0

When I do a search I see sourcetypes like (in addition to ones defined in inputs.conf)

cron

cron-4

syslog

cisco-4

I traced these back to learned sourcetypes. The ciso-r sourcetype is looking at a file in /var/log/remote. Given the sourcetypes I have defined I would not expect any visibility into that directory.

Is there a way to disable the learned sourcetypes? Or whitelist the ones I want?

richgalloway · ‎11-24-2021

Sourcetypes are defined in props.conf, not in inputs.conf. The sourcetype=foo setting in inputs.conf just tells Splunk which props.conf stanza to apply to the data from that input. If there is no such stanza in props.conf then it becomes a learned sourcetype (and probably learned incorrectly).

---
If this reply helps you, Karma would be appreciated.

disable learned sourcetype

sourcetype

universal forwarder

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!