Re: disable learned sourcetype

ray88 · ‎11-24-2021

I am using Splunk universal forwarder 8.1.1 on a linux server configured as a log aggregator. I have 7 well defined sourcetypes defined on inputs.conf based on log files in the following directories: /var/log/remote/LINUX, /var/log/remote/NETWORK, /var/log/remote/VMWARE.

inputs.conf for LINUX directory

[monitor:///var/log/remote/LINUX/*.log

host_regex = LINUX\/(.+)_.+\.log

index=linux-log

sourcetype=linux-messages

disabled = 0

When I do a search I see sourcetypes like (in addition to ones defined in inputs.conf)

cron

cron-4

syslog

cisco-4

I traced these back to learned sourcetypes. The ciso-r sourcetype is looking at a file in /var/log/remote. Given the sourcetypes I have defined I would not expect any visibility into that directory.

Is there a way to disable the learned sourcetypes? Or whitelist the ones I want?

esalesapns2 · ‎10-09-2024

I tried creating a default app.conf file with the stanza:

[install]
state = disabled

but it didn't disable the app.

Then I removed the app from etc/apps altogether, but it came back.

We run splunk as user "splunk" so then I removed the app and created a directory etc/apps/learned owned by root with permissions 500 (r-x------) so splunk couldn't recreate it. That worked.

richgalloway · ‎11-24-2021

Sourcetypes are defined in props.conf, not in inputs.conf. The sourcetype=foo setting in inputs.conf just tells Splunk which props.conf stanza to apply to the data from that input. If there is no such stanza in props.conf then it becomes a learned sourcetype (and probably learned incorrectly).

---
If this reply helps you, Karma would be appreciated.

disable learned sourcetype

sourcetype

universal forwarder

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?