Splunk Search

how can we change forwarder sourcetype?

lifekis
Explorer

I have a problem with parsing, so I want to change the sourcetype.

ex) index=A sourcetype=A  →  index=A sourcetype=B

I am using forwarder and restarted after changing sourcetype in inputs.conf.

However, the log flows into the existing sourcetype.
How can I solve it?

Labels (2)
0 Karma

mattymo
Splunk Employee
Splunk Employee

Hi! Can you please share more details, like Splunk version and full data path to indexer?

Is this Universal Forwarder to Indexer?

Can you try 

./splunk btool inputs list --debug

and confirm the forwarder sees your changes?

 

- MattyMo
0 Karma

lifekis
Explorer

splunk 8.0.4.1, forwarder 7.0

ㅡㅡㅡ

inputs.conf

[monitor:///home/splunk/logdownload/mail/*/*.csv]

host:0.0.0.0

disabled=false

index=mail

soure=csv

sourcetyep=forwarder_mail

crcSalt=<SOURCE>

 

[monitor:///home/splunk/logdownload/wk/*/*http*.csv]

host:0.0.0.0

disabled=false

index=web

soure=csv

sourcetyep=forwarder_http

crcSalt=<SOURCE>

 

[monitor:///home/splunk/logdownload/wk/*/*netapps*.csv]

host:0.0.0.0

disabled=false

index=web

soure=csv

sourcetyep=forwarder_app

crcSalt=<SOURCE>

ㅡㅡㅡ

./splunk btool inpus list --debug, No problem.

 

thank you for reply

0 Karma

mattymo
Splunk Employee
Splunk Employee

sourcetype is mispelled - "sourceteyp". splunk is likely ignoring it. can you confirm btool does not show the proper sourcetype set?

- MattyMo
0 Karma

lifekis
Explorer

It's a typo and already checked sourcetype set..

0 Karma

mattymo
Splunk Employee
Splunk Employee

what sourcetype are you receiving? is it being overridden at the indexer?

- MattyMo
0 Karma

lifekis
Explorer

 

 

img.png

0 Karma

mattymo
Splunk Employee
Splunk Employee

ok...so the events get picked up and sent to where? any intermediate forwarders in the path to the indexers? what sourcetype are you seeing in the events in splunk UI?

- MattyMo
Tags (1)
0 Karma

lifekis
Explorer

no intermediate and seeing sourcetype=forwarder.

still can not change sourcetype T.T

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...