Getting Data In
Highlighted

Re: remove source type

Explorer

"The preview feature, is a good feature" this will be a good feature when you solve the problem that the user not get what he except. (better documentation, teaching video, or something)

Im new with splunk. Now it looks that what you get as web gui to configure is useless. I added the /var/log/samba/audit.log so many times. In the preview i see that everything is fine, but when is want to search in this file i get 0 result.

After i run the command: /splunk add monitor /var/log/ i was to able to search in the log files. But /var/log/samba/audit.log was not in the list of files that can be searched. I must move this file to /var/log/audit.log, only after this was i able to find something in this file.

0 Karma
Highlighted

Re: remove source type

Path Finder

Maybe the user that is running splunk doesn't have the correct right for the /var/log/samba directory?

You're not giving us a lot of information, that's why nobody is helping.

0 Karma
Highlighted

Re: remove source type

Explorer

My company recently rolled out Splunk for our Citrix XenApp 6.5 environment (>900 2008 R2 servers). So I'm running Splunk at home on my personal Debian server to get more exposure to this app...love it btw, keep up the good work.

However, I have this question too on my personal Splunk 5.0.1, build 143156 Debian box...

  • "...After i created a lot of source type, i want to delete them because there are too many."

Maybe the title of this question could more specifically read "remove (user created) sourcetype" as this is what I'm after as well.

  • "You need to delete the events carrying those sourcetypes in that case."

This seems to be the way I've seen this question answered in other posts too (I'm done searching/reading, it's time to post), but this doesn't delete the sourcetype in the dropdown box chosen when creating an input file.

Specifically, what is being asked is how are user created sourcetypes deleted/removed from the Set Source Type popup box seen by doing the following: Manager » Data inputs » Files & directories » Data preview > Set Source Type popup box.

So far, I understand the steps to be...

  1. verify your ID has the "deletebykeyword" capability in Manager » Access controls » Roles » yourID
  2. run sourcetype=UserCreatedFoo | Delete in Splunk » Search to remove entries that have have the UserCreatedFoo sourcetype
  3. ?

Dear Splunk Ninja, please answer what task needs to be done to delete the UserCreatedFoo indextype from the Set Source Type popup box in step 3.

Thank you very much!

Highlighted

Re: remove source type

Path Finder

Just a guess:

Are those sourcetypes you want to delete mentioned in any props.conf/transforms.conf because you configured special treatment there? Take a look and delete any appearance of the sourcetypes in those files.

Highlighted

Re: remove source type

Explorer

fbl_itcs,

Thank you, that is the answer.

0 Karma
Highlighted

Re: remove source type

Explorer

Hi,

All the created sourcetype was configured in "props.conf" file under "/etc/system/local". To reuse the sourcetype you previously use, you must delete its configuration first.

Hope this helps!!

0 Karma