Getting Data In

source type identification in props.conf

tyronetv
Communicator

Given this in the props.conf on my indexer:

[source://c:\Documents and Settings\*\AppData\Roaming\Ipswitch\WS_FTP\Logs\ws_ftp.log]

sourcetype = wsftp_log

[source://c:\Documents and Settings\*\AppData\Roaming\Ipswitch\WS_FTP\Logs\*.rtf]

sourcetype = wsftp_session

[wsftp_log]

TIME_PREFIX = ^

TIME_FORMAT = %Y\.%m\.%d %H:%M

MAX_TIMESTAMP_LOOKAHEAD = 19

SHOULD_LINEMERGE = FALSE

LINE_BREAKER = ([\n\r]+)(?=\d{4}.\d{2}.\d{2}\s\d{2}:\d{2}}

TRUNCATE = 99999

[wsftp_session]

TIME_PREFIX = ^\cf2 \[

TIME_FORMAT = %Y\.%m\.%d %H:%M:%S\.%3N

SHOULD_LINEMERGE = FALSE

MAX_TIMESTAMP_LOOKAHEAD = 30

LINE_BREAKER = ([\n\r]+)(?=^\cf2\s\[)

TRUNCATE = 999999

When I run this:

$SPLUNK_HOME\bin\splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\ws_ftp.log" -index testing

OR

$SPLUNK_HOME/bin/splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\salem_file1.rtf" -index testing

It doesn't identify the sourcetype at all.

Why?

0 Karma

weeb
Splunk Employee
Splunk Employee
0 Karma

lukejadamec
Super Champion

Maybe it has something to do with the wildcard in the source name. Did you try specifying the sourcetype in the command?

$SPLUNK_HOME\bin\splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\ws_ftp.log" -sourcetype wsftp_log -index testing

0 Karma

tyronetv
Communicator

Of course I can identify the sourcetype via the command line. The test was to check whether the props.conf on the indexer would do the identification so I can deploy an app to gather these logs from various machines and various users (hence the * in the path).

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...