I am using Splunk universal forwarder 8.1.1 on a linux server configured as a log aggregator. I have 7 well defined sourcetypes defined on inputs.conf based on log files in the following directories: /var/log/remote/LINUX, /var/log/remote/NETWORK, /var/log/remote/VMWARE.
inputs.conf for LINUX directory
[monitor:///var/log/remote/LINUX/*.log
host_regex = LINUX\/(.+)_.+\.log
index=linux-log
sourcetype=linux-messages
disabled = 0
When I do a search I see sourcetypes like (in addition to ones defined in inputs.conf)
cron
cron-4
syslog
cisco-4
I traced these back to learned sourcetypes. The ciso-r sourcetype is looking at a file in /var/log/remote. Given the sourcetypes I have defined I would not expect any visibility into that directory.
Is there a way to disable the learned sourcetypes? Or whitelist the ones I want?
Sourcetypes are defined in props.conf, not in inputs.conf. The sourcetype=foo setting in inputs.conf just tells Splunk which props.conf stanza to apply to the data from that input. If there is no such stanza in props.conf then it becomes a learned sourcetype (and probably learned incorrectly).