Getting Data In

sourcetype in input.conf being ignored

krugger
Communicator

I have configured local/input.conf as:

[splunktcp://20005]
index = dns
sourcetype = dnslog

However only 2 of the 3 servers are getting the sourcetype dnslog. The problem server is getting something related to the hostname as sourcetype and there is a hostname-too_small sourcetype too.

Why aren't all servers getting the same sourcetype?

I have been looking through input.conf.spec and aparently I can't put sourcetype below splunktcp. So I should use tcp://200005 instead of splunktcp?

Tags (2)
0 Karma
1 Solution

Ayn
Legend

splunktcp is for intra-Splunk traffic, like a Universal Forwarder sending logs to an indexer. In that case the forwarder will set the sourcetype before it sends data to the indexer, so specifying a sourcetype at the indexer doesn't make sense in that scenario.

tcp is for receiving events as raw data, so if you point a forwarder to a tcp input on the indexer you will get all kinds of binary data in your events.

If you for some reason want to force the sourcetype for your splunktcp input on the indexer, there are ways to do that by rewriting the sourcetype using props.conf/transforms.conf, but really you should be specifying this sourcetype on the Splunk instance that is performing the initial gathering of logs before sending them off to the indexer.

View solution in original post

0 Karma

Ayn
Legend

splunktcp is for intra-Splunk traffic, like a Universal Forwarder sending logs to an indexer. In that case the forwarder will set the sourcetype before it sends data to the indexer, so specifying a sourcetype at the indexer doesn't make sense in that scenario.

tcp is for receiving events as raw data, so if you point a forwarder to a tcp input on the indexer you will get all kinds of binary data in your events.

If you for some reason want to force the sourcetype for your splunktcp input on the indexer, there are ways to do that by rewriting the sourcetype using props.conf/transforms.conf, but really you should be specifying this sourcetype on the Splunk instance that is performing the initial gathering of logs before sending them off to the indexer.

0 Karma

lguinn2
Legend

You should not be using splunktcp for regular data. I assume that the three servers are sending their data directly to Splunk. You should be using tcp for this.

splunktcp is for the indexer to listen to packets sent by a Splunk forwarder. It is for Splunk-to-Splunk communication only.

I am actually surprised that it works at all, the way it is configured now!

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...