How is this possible?
This page shows you the syntax and summary of the Splunk CLI commands.
Splunk CLI command syntax:
./splunk [command] [object] [-parameter <value>]...
* Some commands don't require an object or parameters.
* Some commands have a default parameter that can be specified by its
value alone.
Commands and objects:
* A command is an action that you can perform.
* An object is something you perform an action on.
Supported commands and objects:
[command] [objects]
add [exec|forward-server|index|licenser-pools|licenses|monitor|oneshot|
saved-search|search-server|tcp|udp|user]
anonymize source
clean [all|eventdata|globaldata|userdata]
create app
diag NONE
disable [app|boot-start|deploy-client|deploy-server|discoverable|
dist-search|index|listen|local-index|webserver|web-ssl]
display [app|boot-start|deploy-client|deploy-server|discoverable|
dist-search|index|jobs|listen|local-index]
edit [app|exec|forward-server|index|licenser-localslave|licenses|
licenser-groups|
monitor|saved-search|search-server|tcp|udp|user]
enable [app|deploy-client|deploy-server|discoverable|dist-search|
index|listen|local-index|boot-start|webserver|web-ssl]
export,import [eventdata|userdata]
find logs
help NONE
list [deploy-clients|exec|forward-server|index|licenser-groups|
licenser-localslave|licenser-messages|licenser-pools|licenser-slaves|
licenser-stacks|licenses|jobs|monitor|saved-search|search-server|
source|sourcetype|tcp|udp|user]
login,logout NONE
package app
refresh deploy-clients
reload [auth|deploy-server]
remove [app|exec|forward-server|jobs|licenser-pools|licenses|monitor|
saved-search|search-server|source|sourcetype|tcp|udp|user]
search NONE
set [datastore-dir|deploy-poll|default-hostname|default-index|
minfreemb|servername|server-type|splunkd-port|web-port]
show [config|datastore-dir|deploy-poll|default-hostname|default-index|
jobs|minfreemb|servername|splunkd-port|web-port]
spool NONE
start,stop,restart [monitor|splunkd|splunkweb]
status [monitor|splunkd|splunkweb]
Syntax:
None
Objects:
None
Required Parameters:
None
Optional Parameters:
None
Examples:
None
Type "help [command]" to get help with parameters for a specific command.
Complete documentation is available online at: http://docs.splunk.com/Documentation
root@sphs1i-fileaudit01:/opt/splunk/bin# ./splunk remove sourcetype audit.log
Command error: The subcommand 'sourcetype' is not valid for command 'remove'.
root@sphs1i-fileaudit01:/opt/splunk/bin# ./splunk remove sourcetype
Command error: The subcommand 'sourcetype' is not valid for command 'remove'.
Hi,
All the created sourcetype was configured in "props.conf" file under "/etc/system/local". To reuse the sourcetype you previously use, you must delete its configuration first.
Hope this helps!!
Maybe the user that is running splunk doesn't have the correct right for the /var/log/samba directory?
You're not giving us a lot of information, that's why nobody is helping.
fbl_itcs,
Thank you, that is the answer.
Just a guess:
Are those sourcetypes you want to delete mentioned in any props.conf/transforms.conf because you configured special treatment there? Take a look and delete any appearance of the sourcetypes in those files.
My company recently rolled out Splunk for our Citrix XenApp 6.5 environment (>900 2008 R2 servers). So I'm running Splunk at home on my personal Debian server to get more exposure to this app...love it btw, keep up the good work.
However, I have this question too on my personal Splunk 5.0.1, build 143156 Debian box...
Maybe the title of this question could more specifically read "remove (user created) sourcetype" as this is what I'm after as well.
This seems to be the way I've seen this question answered in other posts too (I'm done searching/reading, it's time to post), but this doesn't delete the sourcetype in the dropdown box chosen when creating an input file.
Specifically, what is being asked is how are user created sourcetypes deleted/removed from the Set Source Type popup box seen by doing the following: Manager » Data inputs » Files & directories » Data preview > Set Source Type popup box.
So far, I understand the steps to be...
Dear Splunk Ninja, please answer what task needs to be done to delete the User_Created_Foo indextype from the Set Source Type popup box in step 3.
Thank you very much!
"The preview feature, is a good feature" this will be a good feature when you solve the problem that the user not get what he except. (better documentation, teaching video, or something)
Im new with splunk. Now it looks that what you get as web gui to configure is useless. I added the /var/log/samba/audit.log so many times. In the preview i see that everything is fine, but when is want to search in this file i get 0 result.
After i run the command: /splunk add monitor /var/log/ i was to able to search in the log files. But /var/log/samba/audit.log was not in the list of files that can be searched. I must move this file to /var/log/audit.log, only after this was i able to find something in this file.
ok.
I try to "add data" on the splunk web management page the /var/log/samba/audit.log file what is created by syslog to monitor. I added the file and nothing happend. i cant search in the file.
Then i try to add a directory with the add data, on the web page. But I cant add any directory. Yes great feature.........
You cant add a directory on the wb site, you can add it on th CLI. .... awesome....
And the last other great feature, when the audit.log is in the /var/log/samba/ directory then splunk dont care this file, you must place this file to /var/log/.
What do you think about this?
And... yes... The preview feature, is a good feature (no sarcasm)... as it helps new users understand how to correctly input different types of files.
(i.e. by using the "Skip preview" option!).
You don't need to place files in /var/log/ for them to be monitored. As long as the user running Splunk (i.e. root) has "read" permissions on the file, Splunk can read it.
I think you should read the docs, before jumping in head first, and the start again fresh....
http://docs.splunk.com/Documentation/Splunk/latest/User/AboutthisUserManual
As Ayn said, I think you have misunderstood a few basic concepts here.
In response to the statement:
"Then i try to add a directory with the add data, on the web page. But I cant add any directory. Yes great feature........."
You are probably using the "preview" feature, this is new to Splunk as of 4.3, and yes it does only let you preview files, as directories can have many files, with many different formats... this feautre is more of an educational tool to help you understand linebreaking/timestamp recognition etc. You can "monitors" in directories if you use the old method...
when i add data to Splunk then i can set a "source type"(new source type and apply an existing source type). After i created a lot of source type, i want to delete them because there are too many.
index=audit.log? I think you're confusing terms here. Before you start deleting stuff, you really need to understand the concept of indexes, sources, sourcetypes etc.
i try:
index=audit.log | delete
0 line deleted.
Okay maybe this error is comming from another problem:
You need to delete the events carrying those sourcetypes in that case. Check out the delete
operator: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete
What do you mean by removing a sourcetype? A sourcetype is not something that exists by itself, rather it is a property that is assigned to events in the index.