Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: sourcetype in input.conf being ignored
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have configured local/input.conf as:
[splunktcp://20005]
index = dns
sourcetype = dnslog
However only 2 of the 3 servers are getting the sourcetype dnslog. The problem server is getting something related to the hostname as sourcetype and there is a hostname-too_small sourcetype too.
Why aren't all servers getting the same sourcetype?
I have been looking through input.conf.spec and aparently I can't put sourcetype below splunktcp. So I should use tcp://200005 instead of splunktcp?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunktcp is for intra-Splunk traffic, like a Universal Forwarder sending logs to an indexer. In that case the forwarder will set the sourcetype before it sends data to the indexer, so specifying a sourcetype at the indexer doesn't make sense in that scenario.
tcp is for receiving events as raw data, so if you point a forwarder to a tcp input on the indexer you will get all kinds of binary data in your events.
If you for some reason want to force the sourcetype for your splunktcp input on the indexer, there are ways to do that by rewriting the sourcetype using props.conf/transforms.conf, but really you should be specifying this sourcetype on the Splunk instance that is performing the initial gathering of logs before sending them off to the indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunktcp is for intra-Splunk traffic, like a Universal Forwarder sending logs to an indexer. In that case the forwarder will set the sourcetype before it sends data to the indexer, so specifying a sourcetype at the indexer doesn't make sense in that scenario.
tcp is for receiving events as raw data, so if you point a forwarder to a tcp input on the indexer you will get all kinds of binary data in your events.
If you for some reason want to force the sourcetype for your splunktcp input on the indexer, there are ways to do that by rewriting the sourcetype using props.conf/transforms.conf, but really you should be specifying this sourcetype on the Splunk instance that is performing the initial gathering of logs before sending them off to the indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should not be using splunktcp for regular data. I assume that the three servers are sending their data directly to Splunk. You should be using tcp for this.
splunktcp is for the indexer to listen to packets sent by a Splunk forwarder. It is for Splunk-to-Splunk communication only.
I am actually surprised that it works at all, the way it is configured now!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
