Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

how can we change forwarder sourcetype?

lifekis
Explorer
‎07-21-2020 06:00 PM

I have a problem with parsing, so I want to change the sourcetype.

ex) index=A sourcetype=A  →  index=A sourcetype=B

I am using forwarder and restarted after changing sourcetype in inputs.conf.

However, the log flows into the existing sourcetype.
How can I solve it?

Labels (2)
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-21-2020 06:15 PM

Hi! Can you please share more details, like Splunk version and full data path to indexer?

Is this Universal Forwarder to Indexer?

Can you try 

./splunk btool inputs list --debug

and confirm the forwarder sees your changes?

 

- MattyMo
0 Karma
Reply

lifekis
Explorer
‎07-21-2020 06:42 PM

splunk 8.0.4.1, forwarder 7.0

ㅡㅡㅡ

inputs.conf

[monitor:///home/splunk/logdownload/mail/*/*.csv]

host:0.0.0.0

disabled=false

index=mail

soure=csv

sourcetyep=forwarder_mail

crcSalt=<SOURCE>

 

[monitor:///home/splunk/logdownload/wk/*/*http*.csv]

host:0.0.0.0

disabled=false

index=web

soure=csv

sourcetyep=forwarder_http

crcSalt=<SOURCE>

 

[monitor:///home/splunk/logdownload/wk/*/*netapps*.csv]

host:0.0.0.0

disabled=false

index=web

soure=csv

sourcetyep=forwarder_app

crcSalt=<SOURCE>

ㅡㅡㅡ

./splunk btool inpus list --debug, No problem.

 

thank you for reply

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-21-2020 06:50 PM

sourcetype is mispelled - "sourceteyp". splunk is likely ignoring it. can you confirm btool does not show the proper sourcetype set?

- MattyMo
0 Karma
Reply

lifekis
Explorer
‎07-21-2020 06:52 PM

It's a typo and already checked sourcetype set..

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-21-2020 06:55 PM

what sourcetype are you receiving? is it being overridden at the indexer?

- MattyMo
0 Karma
Reply

lifekis
Explorer
‎07-21-2020 07:11 PM

 

 

img.png

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-22-2020 04:25 AM

ok...so the events get picked up and sent to where? any intermediate forwarders in the path to the indexers? what sourcetype are you seeing in the events in splunk UI?

- MattyMo
Tags (1)
0 Karma
Reply

lifekis
Explorer
‎07-22-2020 05:08 PM

no intermediate and seeing sourcetype=forwarder.

still can not change sourcetype T.T

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...