Getting Data In

not all sourcetypes showing on the web drop down menu for sourcetype

Engager

Hi,

When I add new data to Splunk I dont see all the SourceTypes being displayed on the drop down. If I select 'create new source type' and then enter a name, I get an error saying "SourceType already exists" - It exists but doesn't display on the web drop down. Could someone please help!

Thanks

Tags (2)
0 Karma

Communicator

There's a setting that can be put in each stanza in props.conf called pulldown_type. If this is present and set to true or 1 then the sourcetype appears in the dropdown, otherwise it doesn't.

If you look in $SPLUNK_HOME/etc/system/default/props.conf you'll see many sourcetypes that are configured out-of-the-box, but only a few of them have pulldown_type = true. For example, here are two I've pasted from Splunk 4.3.2:

[log4j]
BREAK_ONLY_BEFORE = \d\d?:\d\d:\d\d
pulldown_type = true
maxDist = 75

[mysqld]
maxDist = 20
BREAK_ONLY_BEFORE = ^\d{6}\s
TIME_FORMAT = %y%m%d %k:%M:%S

So the sourcetype log4j appears in the dropdown but mysqld doesn't

If you look in $SPLUNK_HOME/etc/system/local/props.conf you'll see entries for sourcetypes that you've configured via the data inport/preview functionality. These will all have pulldown_type = 1. For example, here's one of mine:

[farequote]
MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = 1
TIME_FORMAT = %a %m/%d/%y %T
pulldown_type = 1

So, if you want one of the Splunk out-of-the-box sourcetypes that doesn't have pulldown_type = 1 in the default props.conf, edit $SPLUNK_HOME/etc/system/local/props.conf and add a stanza with the same sourcetype name but just the single setting pulldown_type = 1. When Splunk does its config file merging you should then pick up the out-of-the-box settings, but merged with the instruction to put it in the dropdown.

For example, I just put:

[db2_diag]
pulldown_type = 1

in $SPLUNK_HOME/etc/system/local/props.conf, restarted Splunk and now I get db2_diag as an option when I import data.

As for why it's like this, I don't work for Splunk so can't say for sure, but I imagine they didn't want new users being overwhelmed by hundreds of sourcetypes in the dropdown. I totally agree that it's infuriating to find the name you want to use for your sourcetype is already taken yet can't be easily chosen from the dropdown - I've had this problem myself several times.

Engager

Thank you! 🙂

0 Karma