Splunk Search

Adding new sourcetype and input result in no effect?

yshen
Communicator

On a heavy forwarder, I added a new sourcetype in /opt/splunk/etc/apps/<my_app>/local/props.conf,

 

[sensor_data]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
disabled = false
pulldown_type = true
BREAK_ONLY_BEFORE_DATE =

 

and also at 

/opt/splunk/etc/apps/<my_app>/local/inputs.conf
add

 

[monitor:///home/slog/sensor_logs/sensor_*.dat]
disabled = false
index = cse_scada
sourcetype = sensor_data

 

where my_app has been defined and establish working for the existing sourcetypes and indexes. 

The index cse_scada has also been defined and working.

I thought that this is what it takes to introduce a new sorucetype and input on a Heavy Forwarder. But I don't see the newly defined souncetype listed in the list sourcetype, nor do I found any expected data in a query of 

 

sourcetype=sensor_data

 

I didn't see any error in the <SPLUNK>/var/log/splunkd.log

I wonder what else I need to do to the definitions working? 

- Do I have to restart the forwarder?

- Any other means to let it to take effect?

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Yes, the forwarder must be restarted after modifying .conf files.

When querying for the data, be sure to specify the index name.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

yshen
Communicator

I wish there is a way that is less impacting to the service than restarting the forwarder.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, the forwarder must be restarted after modifying .conf files.

When querying for the data, be sure to specify the index name.

---
If this reply helps you, an upvote would be appreciated.
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...