Getting Data In
Highlighted

remove source type

Explorer

How is this possible?

./splunk help commands

This page shows you the syntax and summary of the Splunk CLI commands.

Splunk CLI command syntax:

./splunk [command] [object] [-parameter <value>]...

* Some commands don't require an object or parameters.
* Some commands have a default parameter that can be specified by its
  value alone.

Commands and objects:

* A command is an action that you can perform.
* An object is something you perform an action on.

Supported commands and objects:

    [command]           [objects]

    add                 [exec|forward-server|index|licenser-pools|licenses|monitor|oneshot|
                        saved-search|search-server|tcp|udp|user]

    anonymize           source

    clean               [all|eventdata|globaldata|userdata]

    create              app

    diag                NONE

    disable             [app|boot-start|deploy-client|deploy-server|discoverable|
                        dist-search|index|listen|local-index|webserver|web-ssl]

    display             [app|boot-start|deploy-client|deploy-server|discoverable|
                        dist-search|index|jobs|listen|local-index]

    edit                [app|exec|forward-server|index|licenser-localslave|licenses|
                        licenser-groups|
                        monitor|saved-search|search-server|tcp|udp|user]

    enable              [app|deploy-client|deploy-server|discoverable|dist-search|
                        index|listen|local-index|boot-start|webserver|web-ssl]

    export,import       [eventdata|userdata]

    find                logs

    help                NONE

    list                [deploy-clients|exec|forward-server|index|licenser-groups|
                        licenser-localslave|licenser-messages|licenser-pools|licenser-slaves|
                        licenser-stacks|licenses|jobs|monitor|saved-search|search-server|
                        source|sourcetype|tcp|udp|user]

    login,logout        NONE

    package             app

    refresh             deploy-clients

    reload              [auth|deploy-server]

    remove              [app|exec|forward-server|jobs|licenser-pools|licenses|monitor|
                        saved-search|search-server|source|sourcetype|tcp|udp|user]

    search              NONE

    set                 [datastore-dir|deploy-poll|default-hostname|default-index|
                        minfreemb|servername|server-type|splunkd-port|web-port]

    show                [config|datastore-dir|deploy-poll|default-hostname|default-index|
                        jobs|minfreemb|servername|splunkd-port|web-port]

    spool               NONE

    start,stop,restart  [monitor|splunkd|splunkweb]

    status              [monitor|splunkd|splunkweb]

Syntax:

    None

Objects:

    None

Required Parameters:

    None

Optional Parameters:

    None

Examples:

    None

Type "help [command]" to get help with parameters for a specific command.

Complete documentation is available online at: http://docs.splunk.com/Documentation

root@sphs1i-fileaudit01:/opt/splunk/bin# ./splunk remove sourcetype audit.log

Command error: The subcommand 'sourcetype' is not valid for command 'remove'.
root@sphs1i-fileaudit01:/opt/splunk/bin# ./splunk remove sourcetype

Command error: The subcommand 'sourcetype' is not valid for command 'remove'.

Tags (3)
Highlighted

Re: remove source type

Legend

What do you mean by removing a sourcetype? A sourcetype is not something that exists by itself, rather it is a property that is assigned to events in the index.

0 Karma
Highlighted

Re: remove source type

Explorer

when i add data to Splunk then i can set a "source type"(new source type and apply an existing source type). After i created a lot of source type, i want to delete them because there are too many.

0 Karma
Highlighted

Re: remove source type

Legend

You need to delete the events carrying those sourcetypes in that case. Check out the delete operator: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete

0 Karma
Highlighted

Re: remove source type

Explorer

i try:

index=audit.log | delete

0 line deleted.

Okay maybe this error is comming from another problem:

  1. i cant add to monitor and index a directory, for example /var/log/
  2. i add /var/log/samba/audit.log file to the data inputs. But it looks like the file is added but when i try to search i found nothing. Just when the file is not added to the data inputs and no index is generated.
0 Karma
Highlighted

Re: remove source type

Legend

index=audit.log? I think you're confusing terms here. Before you start deleting stuff, you really need to understand the concept of indexes, sources, sourcetypes etc.

Highlighted

Re: remove source type

Explorer

ok.

I try to "add data" on the splunk web management page the /var/log/samba/audit.log file what is created by syslog to monitor. I added the file and nothing happend. i cant search in the file.

Then i try to add a directory with the add data, on the web page. But I cant add any directory. Yes great feature.........

You cant add a directory on the wb site, you can add it on th CLI. .... awesome....

And the last other great feature, when the audit.log is in the /var/log/samba/ directory then splunk dont care this file, you must place this file to /var/log/.

What do you think about this?

0 Karma
Highlighted

Re: remove source type

Influencer

As Ayn said, I think you have misunderstood a few basic concepts here.

In response to the statement:

"Then i try to add a directory with the add data, on the web page. But I cant add any directory. Yes great feature........."

You are probably using the "preview" feature, this is new to Splunk as of 4.3, and yes it does only let you preview files, as directories can have many files, with many different formats... this feautre is more of an educational tool to help you understand linebreaking/timestamp recognition etc. You can "monitors" in directories if you use the old method...

Highlighted

Re: remove source type

Influencer

(i.e. by using the "Skip preview" option!).

You don't need to place files in /var/log/ for them to be monitored. As long as the user running Splunk (i.e. root) has "read" permissions on the file, Splunk can read it.

I think you should read the docs, before jumping in head first, and the start again fresh....

http://docs.splunk.com/Documentation/Splunk/latest/User/AboutthisUserManual

Highlighted

Re: remove source type

Influencer

And... yes... The preview feature, is a good feature (no sarcasm)... as it helps new users understand how to correctly input different types of files.