Getting Data In

where are source type names created?

ryan461
Explorer

I'm wondering if there are other locations than inputs.conf, props.conf that a sourcetype might be named/assigned. I have data that's supposed to be marked with sysinfo_binfiles. When I search for this under the app context, I see no sysinfo_binfiles. However binfiles is a sourcetype, yet I cannot find where this is set. I see in my data inputs list, that the the input source for the sourcetype sysinfo_binfiles has 0 files, so im wondering if they're being sent to another sourcetype.


UPDATE:

Ill have a look at the docs. So for the data input, I used a CIFS mount to where the files are. Then the folder looks like /mnt/server/folder1/*/binfiles.csv. The csv has a list of binaries installed. Then I specify a manual sourcetype for that input as sysinfo_binfiles. Now I browse to the app that this input is for and do a search:

index=* sourcetype="sysinfo_binfiles"

and it returns nothing. if i search the index for that the data is being submitted to, i see a sourcetype=binfiles.

Tags (2)
0 Karma

ryan461
Explorer

edited

moved the text to an update to the original question.

0 Karma

kristian_kolb
Ultra Champion

see update to my original answer

0 Karma

kristian_kolb
Ultra Champion

Well, transforms.conf is one place that could happen. But not without you knowing about it, you'd have to configure it yourself (through a TRANSFORMS-blah = blah in props.conf)

Still not too sure about what you really want, though.

Are you setting (e.g. in inputs.conf) a sourcetype for some input, but it doesn't show up as that sourcetype?

Or are you getting data with a strange/unwanted sourcetype, and you don't know where it's being set?

In either case you'd have to know where your data is being read, what type of forwarder is being used (if any), and in which config file to look. As you may know, there are (usually) several inputs.conf files on any given system. The same can be true for most .conf files, actually.

Check the following to see on which type of splunk instance in a deployment a setting should go.

http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Datapipeline

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

Also, always check for typos/cApiTaLizatIOn in conf files, since that is an easy way to break what looks like a correct conf.


UPDATE:

It could be that the sourcetype binfiles is solely based on the filename where the events originate. This would indicate that your manual sourcetype assignment has failed. How did you make that assignment, and what does the config file look like?

Hope this helps,

Kristian

ryan461
Explorer

so my inputs.conf should be setting the sourcetype. Its entries read as:

[monitor:///mnt/server/systeminfo/*/binfiles.csv]
disabled = 0
followTail = 0
index = systeminfo
sourcetype = sysinfo_binfiles

0 Karma

bmacias84
Champion

inputs and props are the two typical places, but sourcetype.conf set the document model used by the file classifier for creating source types.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...