- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
disable learned sourcetype
I am using Splunk universal forwarder 8.1.1 on a linux server configured as a log aggregator. I have 7 well defined sourcetypes defined on inputs.conf based on log files in the following directories: /var/log/remote/LINUX, /var/log/remote/NETWORK, /var/log/remote/VMWARE.
inputs.conf for LINUX directory
[monitor:///var/log/remote/LINUX/*.log
host_regex = LINUX\/(.+)_.+\.log
index=linux-log
sourcetype=linux-messages
disabled = 0
When I do a search I see sourcetypes like (in addition to ones defined in inputs.conf)
cron
cron-4
syslog
cisco-4
I traced these back to learned sourcetypes. The ciso-r sourcetype is looking at a file in /var/log/remote. Given the sourcetypes I have defined I would not expect any visibility into that directory.
Is there a way to disable the learned sourcetypes? Or whitelist the ones I want?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried creating a default app.conf file with the stanza:
[install]
state = disabledbut it didn't disable the app.
Then I removed the app from etc/apps altogether, but it came back.
We run splunk as user "splunk" so then I removed the app and created a directory etc/apps/learned owned by root with permissions 500 (r-x------) so splunk couldn't recreate it. That worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sourcetypes are defined in props.conf, not in inputs.conf. The sourcetype=foo setting in inputs.conf just tells Splunk which props.conf stanza to apply to the data from that input. If there is no such stanza in props.conf then it becomes a learned sourcetype (and probably learned incorrectly).
If this reply helps you, Karma would be appreciated.
