Activity Feed
- Posted Re: Can I turn off the data is too_small sourcetype behavior? on Getting Data In. 04-03-2017 03:43 PM
- Posted Re: Can I turn off the data is too_small sourcetype behavior? on Getting Data In. 04-03-2017 12:11 PM
- Posted Re: Can I turn off the data is too_small sourcetype behavior? on Getting Data In. 04-03-2017 11:42 AM
- Posted Re: Can I turn off the data is too_small sourcetype behavior? on Getting Data In. 04-03-2017 10:20 AM
- Posted Can I turn off the data is too_small sourcetype behavior? on Getting Data In. 03-31-2017 03:16 PM
- Tagged Can I turn off the data is too_small sourcetype behavior? on Getting Data In. 03-31-2017 03:16 PM
- Tagged Can I turn off the data is too_small sourcetype behavior? on Getting Data In. 03-31-2017 03:16 PM
- Tagged Can I turn off the data is too_small sourcetype behavior? on Getting Data In. 03-31-2017 03:16 PM
- Tagged Can I turn off the data is too_small sourcetype behavior? on Getting Data In. 03-31-2017 03:16 PM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 |
04-03-2017
03:43 PM
beatus,
Thanks for all the effort. Your answers have been helpful but I think I'm going to kludge my log files to ensure they contain a minimum of 101 events. The solution above I believe uses the filename (stripped of the '-too_small' text) for the sourcetype. My filenames are [hostname]_[type].log so additional work is needed. And it will break, I believe, if the files start as small then later grow and aren't caught up in this problem. This all seems extremely hacky just to work around the 'feature' of ignoring all the rules at input time for small files. I wonder if this behavior is a bug or an orphaned feature from an old version. I can't find any documentation why this substitution is occurring beyond when the log file contains 100 or fewer events it has -too_short appended to the filename. As if that is a reason.
I'll mark this as the answer as we have a couple of possible workarounds for this in here.
mark
... View more
04-03-2017
12:11 PM
I did some testing in a stand alone test environment v6.4.6 and found the learned app isn't controlled by enabling/disabling from the Managing Apps web UI.
With learned app disabled and the index cleaned when new logs are added the C:\Program Files\Splunk\etc\apps\learned\local\props.conf file gets updated with [filename]-too_small stanzas so disabling doesn't work even tho C:\Program Files\Splunk\etc\apps\learned\local\app.conf looks like:
[install]
state = disabled
so maybe disabling learned app might work but how?
... View more
04-03-2017
11:42 AM
I'm currently assigning sourcetypes dynamically using rules in the C:\Program Files\Splunk\etc\system\local\props.conf (my test environment), e.g.:
[rule::MySourceType1]
sourcetype=my_sourcetype1
MORE_THAN_80=[regex here]
. . .
This works great for logs with > 100 events; if less it is ignored and either set to "too_small" or [filename]-too_small. Also once set to too_small it never will use the rule to assign sourcetype again even as the file grows > 100 events.
I'm not sure what the purpose of transforms is over props.conf
... View more
04-03-2017
10:20 AM
Thank you for your reply!
I tried the props.conf entry but that simply set the sourcetype of all of the small logs to "too_small" rather than "-too_small".
I diabled the learned app, stopped Splunk, cleaned the index and restarted Splunk and I still get all the small logs assigned a sourcetype of "too_small".
I also removed the "-too_small" stanzas from the learned app's local props.conf file with same result.
Any other ideas?
... View more
03-31-2017
03:16 PM
I have a set of log files that when they contain greater than 99 events have rules defined in the props.conf to properly apply sourcetypes. Yet when the logs contain 99 or fewer events the sourcetype gets a "[filename]-too_small" sourcetype assigned to it. When the files increase in size to 100 or greater they still have the incorrect sourcetype applied.
Is there anyway to stop this default action other than "pad" the logs with dummy events to number at least 100? Basically I would like Splunk to consult with the rule stanzas in the props.conf file before resorting to the default action on small files.
Thanks
... View more