Beatus, (hope you're still monitoring this thread...)
I love your solution. Our cluster has hundreds of these sourcetypes-too_small, and they're inconsistent, so any report based on them, or their root sourcetype fails often. It floors me that the sourcetype is pretty much always set to the same thing as the source, then when it fulfills this "too small" check, adds the -too_small to the source (and existing sourcetype name) -- when it would be better to simply leave the sourcetype name the same as source if it can't guess it -- rather than creating a completely new (and wrong) sourcetype. Oh Great Splunkin, are you listening?
I've done the above -- and put them on my heavy forwarders (didn't work) and then put them on my indexers (deployed them in a bundle from my cluster master). But it did not fix the problem.
Would you happen to know if this fix still works -- or ever did?
Forgive my questioning, but so often I see people answering here with "this should fix it..." without ever actually having tried it and experienced it being fixed afterwards...
... View more