Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how can we change forwarder sourcetype?

lifekis
Explorer
‎07-21-2020 06:00 PM

I have a problem with parsing, so I want to change the sourcetype.

ex) index=A sourcetype=A  →  index=A sourcetype=B

I am using forwarder and restarted after changing sourcetype in inputs.conf.

However, the log flows into the existing sourcetype.
How can I solve it?

Labels (2)
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-21-2020 06:15 PM

Hi! Can you please share more details, like Splunk version and full data path to indexer?

Is this Universal Forwarder to Indexer?

Can you try 

./splunk btool inputs list --debug

and confirm the forwarder sees your changes?

 

- MattyMo
0 Karma
Reply

lifekis
Explorer
‎07-21-2020 06:42 PM

splunk 8.0.4.1, forwarder 7.0

ㅡㅡㅡ

inputs.conf

[monitor:///home/splunk/logdownload/mail/*/*.csv]

host:0.0.0.0

disabled=false

index=mail

soure=csv

sourcetyep=forwarder_mail

crcSalt=<SOURCE>

 

[monitor:///home/splunk/logdownload/wk/*/*http*.csv]

host:0.0.0.0

disabled=false

index=web

soure=csv

sourcetyep=forwarder_http

crcSalt=<SOURCE>

 

[monitor:///home/splunk/logdownload/wk/*/*netapps*.csv]

host:0.0.0.0

disabled=false

index=web

soure=csv

sourcetyep=forwarder_app

crcSalt=<SOURCE>

ㅡㅡㅡ

./splunk btool inpus list --debug, No problem.

 

thank you for reply

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-21-2020 06:50 PM

sourcetype is mispelled - "sourceteyp". splunk is likely ignoring it. can you confirm btool does not show the proper sourcetype set?

- MattyMo
0 Karma
Reply

lifekis
Explorer
‎07-21-2020 06:52 PM

It's a typo and already checked sourcetype set..

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-21-2020 06:55 PM

what sourcetype are you receiving? is it being overridden at the indexer?

- MattyMo
0 Karma
Reply

lifekis
Explorer
‎07-21-2020 07:11 PM

 

 

img.png

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-22-2020 04:25 AM

ok...so the events get picked up and sent to where? any intermediate forwarders in the path to the indexers? what sourcetype are you seeing in the events in splunk UI?

- MattyMo
Tags (1)
0 Karma
Reply

lifekis
Explorer
‎07-22-2020 05:08 PM

no intermediate and seeing sourcetype=forwarder.

still can not change sourcetype T.T

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...