I have a production equipment storing a log that I can access through FTP. I installed FTP Pull and set up an input and it works OK that far. However, the file format is a bit odd, so simply taking it in is not enough. (It has a special timestamp that Splunk does not interpret correctly out of the box, and there is no header line in the file). I have created a new sourcetype where I configured timestamp format and field names. When I upload the file manually and apply that particular sourcetype, data is indexed properly. I selected this sourcetype in the FTP Input configuration but it does not seem to take effect. The indexed events get this selected sourcetype associated, but the configuration of the sourcetype is not observed, so when the file comes through FTP, it is indexed incorrectly. Is there a way to enforce the FTP Input to actually apply the configuration of the selected sourcetype? Thanks in advance for sharing your thoughts or experience with me
... View more