"The preview feature, is a good feature" this will be a good feature when you solve the problem that the user not get what he except. (better documentation, teaching video, or something)
Im new with splunk. Now it looks that what you get as web gui to configure is useless. I added the /var/log/samba/audit.log so many times. In the preview i see that everything is fine, but when is want to search in this file i get 0 result.
After i run the command: /splunk add monitor /var/log/ i was to able to search in the log files. But /var/log/samba/audit.log was not in the list of files that can be searched. I must move this file to /var/log/audit.log, only after this was i able to find something in this file.
Maybe the user that is running splunk doesn't have the correct right for the /var/log/samba directory?
You're not giving us a lot of information, that's why nobody is helping.
My company recently rolled out Splunk for our Citrix XenApp 6.5 environment (>900 2008 R2 servers). So I'm running Splunk at home on my personal Debian server to get more exposure to this app...love it btw, keep up the good work.
However, I have this question too on my personal Splunk 5.0.1, build 143156 Debian box...
Maybe the title of this question could more specifically read "remove (user created) sourcetype" as this is what I'm after as well.
This seems to be the way I've seen this question answered in other posts too (I'm done searching/reading, it's time to post), but this doesn't delete the sourcetype in the dropdown box chosen when creating an input file.
Specifically, what is being asked is how are user created sourcetypes deleted/removed from the Set Source Type popup box seen by doing the following: Manager » Data inputs » Files & directories » Data preview > Set Source Type popup box.
So far, I understand the steps to be...
Dear Splunk Ninja, please answer what task needs to be done to delete the UserCreatedFoo indextype from the Set Source Type popup box in step 3.
Thank you very much!
Just a guess:
Are those sourcetypes you want to delete mentioned in any props.conf/transforms.conf because you configured special treatment there? Take a look and delete any appearance of the sourcetypes in those files.
All the created sourcetype was configured in "props.conf" file under "/etc/system/local". To reuse the sourcetype you previously use, you must delete its configuration first.
Hope this helps!!