I have a problem with parsing, so I want to change the sourcetype.
ex) index=A sourcetype=A → index=A sourcetype=B
I am using forwarder and restarted after changing sourcetype in inputs.conf.
However, the log flows into the existing sourcetype.
How can I solve it?
Hi! Can you please share more details, like Splunk version and full data path to indexer?
Is this Universal Forwarder to Indexer?
Can you try
./splunk btool inputs list --debug
and confirm the forwarder sees your changes?
splunk 8.0.4.1, forwarder 7.0
ㅡㅡㅡ
inputs.conf
[monitor:///home/splunk/logdownload/mail/*/*.csv]
host:0.0.0.0
disabled=false
index=mail
soure=csv
sourcetyep=forwarder_mail
crcSalt=<SOURCE>
[monitor:///home/splunk/logdownload/wk/*/*http*.csv]
host:0.0.0.0
disabled=false
index=web
soure=csv
sourcetyep=forwarder_http
crcSalt=<SOURCE>
[monitor:///home/splunk/logdownload/wk/*/*netapps*.csv]
host:0.0.0.0
disabled=false
index=web
soure=csv
sourcetyep=forwarder_app
crcSalt=<SOURCE>
ㅡㅡㅡ
./splunk btool inpus list --debug, No problem.
thank you for reply
sourcetype is mispelled - "sourceteyp". splunk is likely ignoring it. can you confirm btool does not show the proper sourcetype set?
It's a typo and already checked sourcetype set..
what sourcetype are you receiving? is it being overridden at the indexer?
ok...so the events get picked up and sent to where? any intermediate forwarders in the path to the indexers? what sourcetype are you seeing in the events in splunk UI?
no intermediate and seeing sourcetype=forwarder.
still can not change sourcetype T.T