Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how can we change forwarder sourcetype?

lifekis
Explorer
‎07-21-2020 06:00 PM

I have a problem with parsing, so I want to change the sourcetype.

ex) index=A sourcetype=A  →  index=A sourcetype=B

I am using forwarder and restarted after changing sourcetype in inputs.conf.

However, the log flows into the existing sourcetype.
How can I solve it?

Labels (2)
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-21-2020 06:15 PM

Hi! Can you please share more details, like Splunk version and full data path to indexer?

Is this Universal Forwarder to Indexer?

Can you try 

./splunk btool inputs list --debug

and confirm the forwarder sees your changes?

 

- MattyMo
0 Karma
Reply

lifekis
Explorer
‎07-21-2020 06:42 PM

splunk 8.0.4.1, forwarder 7.0

ㅡㅡㅡ

inputs.conf

[monitor:///home/splunk/logdownload/mail/*/*.csv]

host:0.0.0.0

disabled=false

index=mail

soure=csv

sourcetyep=forwarder_mail

crcSalt=<SOURCE>

 

[monitor:///home/splunk/logdownload/wk/*/*http*.csv]

host:0.0.0.0

disabled=false

index=web

soure=csv

sourcetyep=forwarder_http

crcSalt=<SOURCE>

 

[monitor:///home/splunk/logdownload/wk/*/*netapps*.csv]

host:0.0.0.0

disabled=false

index=web

soure=csv

sourcetyep=forwarder_app

crcSalt=<SOURCE>

ㅡㅡㅡ

./splunk btool inpus list --debug, No problem.

 

thank you for reply

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-21-2020 06:50 PM

sourcetype is mispelled - "sourceteyp". splunk is likely ignoring it. can you confirm btool does not show the proper sourcetype set?

- MattyMo
0 Karma
Reply

lifekis
Explorer
‎07-21-2020 06:52 PM

It's a typo and already checked sourcetype set..

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-21-2020 06:55 PM

what sourcetype are you receiving? is it being overridden at the indexer?

- MattyMo
0 Karma
Reply

lifekis
Explorer
‎07-21-2020 07:11 PM

 

 

img.png

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-22-2020 04:25 AM

ok...so the events get picked up and sent to where? any intermediate forwarders in the path to the indexers? what sourcetype are you seeing in the events in splunk UI?

- MattyMo
Tags (1)
0 Karma
Reply

lifekis
Explorer
‎07-22-2020 05:08 PM

no intermediate and seeing sourcetype=forwarder.

still can not change sourcetype T.T

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...