Getting Data In

where are source type names created?

Explorer

I'm wondering if there are other locations than inputs.conf, props.conf that a sourcetype might be named/assigned. I have data that's supposed to be marked with sysinfobinfiles. When I search for this under the app context, I see no sysinfobinfiles. However binfiles is a sourcetype, yet I cannot find where this is set. I see in my data inputs list, that the the input source for the sourcetype sysinfo_binfiles has 0 files, so im wondering if they're being sent to another sourcetype.


UPDATE:

Ill have a look at the docs. So for the data input, I used a CIFS mount to where the files are. Then the folder looks like /mnt/server/folder1/*/binfiles.csv. The csv has a list of binaries installed. Then I specify a manual sourcetype for that input as sysinfo_binfiles. Now I browse to the app that this input is for and do a search:

index=* sourcetype="sysinfo_binfiles"

and it returns nothing. if i search the index for that the data is being submitted to, i see a sourcetype=binfiles.

Tags (2)
0 Karma

Explorer

edited

moved the text to an update to the original question.

0 Karma

Ultra Champion

see update to my original answer

0 Karma

Ultra Champion

Well, transforms.conf is one place that could happen. But not without you knowing about it, you'd have to configure it yourself (through a TRANSFORMS-blah = blah in props.conf)

Still not too sure about what you really want, though.

Are you setting (e.g. in inputs.conf) a sourcetype for some input, but it doesn't show up as that sourcetype?

Or are you getting data with a strange/unwanted sourcetype, and you don't know where it's being set?

In either case you'd have to know where your data is being read, what type of forwarder is being used (if any), and in which config file to look. As you may know, there are (usually) several inputs.conf files on any given system. The same can be true for most .conf files, actually.

Check the following to see on which type of splunk instance in a deployment a setting should go.

http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Datapipeline

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

Also, always check for typos/cApiTaLizatIOn in conf files, since that is an easy way to break what looks like a correct conf.


UPDATE:

It could be that the sourcetype binfiles is solely based on the filename where the events originate. This would indicate that your manual sourcetype assignment has failed. How did you make that assignment, and what does the config file look like?

Hope this helps,

Kristian

Explorer

so my inputs.conf should be setting the sourcetype. Its entries read as:

[monitor:///mnt/server/systeminfo/*/binfiles.csv]
disabled = 0
followTail = 0
index = systeminfo
sourcetype = sysinfo_binfiles

0 Karma

Champion

inputs and props are the two typical places, but sourcetype.conf set the document model used by the file classifier for creating source types.

0 Karma