Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

strangely Behaviuor with Sourcetype

anasshsa
Engager
‎04-26-2019 01:55 AM

I have installed a universal Forwarder on Microsoft Exchange Server and it had starting to send the data from the log files to Splunk Server. I have configured two types of Sourcetype (SEND,RECV) but strangely they became four (SEND,send-too_small,RECV,recv-too_small) and after that it had not indexed the data under SEND or RECV spurcetypes!!!!
I don't know why it's happing. Anyone have an idea!!

Thanks for help 🙂

0 Karma
Reply

PowerPacked
Builder
‎04-26-2019 11:59 AM

Hi

Splunk assigns that sourcetype to files which are having less than 100 lines or 100 events in file.

Check the PREFIX_SOURCETYPE in props.conf

Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2019 06:20 AM

The "-too_small" suffix indicates Splunk has found data which it could not match to any provided sourcetype. Make sure you have defined a sourcetype for all of the events you expect to index. Share you props.conf settings here if you need help.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...