Getting Data In

How can it be that a source type in use isn't listed in Settings: (Data) Source types?

DUThibault
Contributor

We have a single Splunk instance (the server) with a number of Forwarders on remote machines (the clients). I've installed Splunk_TA_nix which added a number of scripts as data inputs on the clients and on the server. I want to exclude the server, but since there is no way (that I know of) to reassign a script (or any data input for that matter) to a Server class, I first disabled the scripts on the server. This also disabled them on the clients (because the app deployment keeps Splunk_TA_nix in sync I suppose). So I started recreating the scripts as new data inputs assigned to a Server class that includes just the clients. But a number of the scripts have source types (auditd, Unix:ListeningPorts, etc.) that are absent from the Settings: (Data) Source types display, and as a result I cannot create the corresponding new data inputs. At the Input Settings step, just before Review, the Select Source Type drop-down refuses to find the ones I need.

Am I missing something obvious? Is this a bug? Is there a way to do this that is less painful, maybe by editing some .conf file(s)?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

If the attribute pulldown_type=true is not set for your relevant sourcetype in props.conf, it won't show up in the UI.

0 Karma

DUThibault
Contributor

Interesting to know (at this point I sure wish that the Splunk Web Source Types page had a "Show hidden source types" check box; likewise for the Input Settings screen of the Add New Data Input work flow), but that does not seem to be what's happening here. Scouring the Splunk_TA_nix and splunk_app_for_nix archives, the only file that contains "pulldown_type" is Splunk_TA_nix/default/props.conf, and its value is true. So that's not why 9 of the 28 source types (auditd, Unix:ListeningPorts, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:UserAccounts, Unix:Version, Unix:VSFTPDConfig) are invisible to Settings: (Data) Source types.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...