Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how can we change forwarder sourcetype?

lifekis
Explorer
‎07-21-2020 06:00 PM

I have a problem with parsing, so I want to change the sourcetype.

ex) index=A sourcetype=A  →  index=A sourcetype=B

I am using forwarder and restarted after changing sourcetype in inputs.conf.

However, the log flows into the existing sourcetype.
How can I solve it?

Labels (2)
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-21-2020 06:15 PM

Hi! Can you please share more details, like Splunk version and full data path to indexer?

Is this Universal Forwarder to Indexer?

Can you try 

./splunk btool inputs list --debug

and confirm the forwarder sees your changes?

 

- MattyMo
0 Karma
Reply

lifekis
Explorer
‎07-21-2020 06:42 PM

splunk 8.0.4.1, forwarder 7.0

ㅡㅡㅡ

inputs.conf

[monitor:///home/splunk/logdownload/mail/*/*.csv]

host:0.0.0.0

disabled=false

index=mail

soure=csv

sourcetyep=forwarder_mail

crcSalt=<SOURCE>

 

[monitor:///home/splunk/logdownload/wk/*/*http*.csv]

host:0.0.0.0

disabled=false

index=web

soure=csv

sourcetyep=forwarder_http

crcSalt=<SOURCE>

 

[monitor:///home/splunk/logdownload/wk/*/*netapps*.csv]

host:0.0.0.0

disabled=false

index=web

soure=csv

sourcetyep=forwarder_app

crcSalt=<SOURCE>

ㅡㅡㅡ

./splunk btool inpus list --debug, No problem.

 

thank you for reply

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-21-2020 06:50 PM

sourcetype is mispelled - "sourceteyp". splunk is likely ignoring it. can you confirm btool does not show the proper sourcetype set?

- MattyMo
0 Karma
Reply

lifekis
Explorer
‎07-21-2020 06:52 PM

It's a typo and already checked sourcetype set..

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-21-2020 06:55 PM

what sourcetype are you receiving? is it being overridden at the indexer?

- MattyMo
0 Karma
Reply

lifekis
Explorer
‎07-21-2020 07:11 PM

 

 

img.png

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-22-2020 04:25 AM

ok...so the events get picked up and sent to where? any intermediate forwarders in the path to the indexers? what sourcetype are you seeing in the events in splunk UI?

- MattyMo
Tags (1)
0 Karma
Reply

lifekis
Explorer
‎07-22-2020 05:08 PM

no intermediate and seeing sourcetype=forwarder.

still can not change sourcetype T.T

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...