I have a problem with parsing, so I want to change the sourcetype.
ex) index=A sourcetype=A → index=A sourcetype=B
I am using forwarder and restarted after changing sourcetype in inputs.conf.
However, the log flows into the existing sourcetype.
How can I solve it?
Hi! Can you please share more details, like Splunk version and full data path to indexer?
Is this Universal Forwarder to Indexer?
Can you try
./splunk btool inputs list --debug
and confirm the forwarder sees your changes?
splunk 126.96.36.199, forwarder 7.0
./splunk btool inpus list --debug, No problem.
thank you for reply
ok...so the events get picked up and sent to where? any intermediate forwarders in the path to the indexers? what sourcetype are you seeing in the events in splunk UI?