Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can Splunk Auto Change Sourcetype If Input Format Changes

rpettymb
New Member
‎03-19-2014 04:20 PM

Hello,

I have added a new input that looks like this:

> ...
>     Start calculating postfix queue depth on server1.domain.com at Wed Mar
> 19 22:45:01 UTC 2014
>     instance=1 deferred=1 active=0 incoming=0
>     instance=8 deferred=0 active=0 incoming=0
>     instance=9 deferred=27 active=0 incoming=0
>     Stop calculating postfix queue depth on server1.domain.com at Wed Mar
> 19 22:45:01 UTC 2014
>     Start calculating postfix queue depth on server1.domain.com at Wed Mar
> 19 23:45:01 UTC 2014
>     instance=1 deferred=1 active=0 incoming=0
>     instance=8 deferred=0 active=0 incoming=0
>     instance=9 deferred=27 active=0 incoming=0
>     Stop calculating postfix queue depth on server1.domain.com at Wed Mar
> 19 23:45:01 UTC 2014 ...

Splunk has applied a sourcetype of *-too_small. This is causing some grief as I can't simply search for "deferred>25". I am assuming the lines "Start... and Stop..." are causing Splunk to not auto parse this as I would hope. If I remove the lines "Start... and Stop..." going forward will Splunk change the sourcetype to something that can be parsed as simple key=value pairs?

Thank you!

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-21-2014 02:00 PM

The *-too_small indicates the sample size was too small for Splunk to guess the sourcetype, even if it may or may not recognize it from a larger sample. That's why I always specify the sourcetype wherever possible - even when it's an automatically recognized one.

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎03-21-2014 10:14 AM

Why are you not specifying a sourcetype in your inputs.conf?

Just add this to your inputs.conf and restart the forwarder:

sourcetype=postfixdata

Or something like that so that Splunk doesn't try to guess at a sourcetype and auto-learn them.

For this point all new indexed data will be in one sourcetype.

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎03-21-2014 10:15 AM

Once that is done we can help you with your linebreaks of the events, field extractions, etc.

0 Karma
Reply

rpettymb
New Member
‎03-21-2014 10:02 AM

Martin,

Maybe I am misunderstanding, but in simple (or well established) cases it detect a pattern and 'sometimes' just get it correct with zero configuration? In my case, I have now switched the data to be just the key value pairs "k1=v1 k2=v2" (4 keys per line), and now I can do basic searching, so I assume it must be detecting something. It did not however change the sourcetype.

I agree, about being explicit in all but none-simple cases, but I would hope ones like this would magically work 🙂

Regards.

Ron

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-21-2014 08:06 AM

How should that data be parsed? Where are the event breaks? Which timestamp should be used?

It's usually best to define a custom sourcetype for custom data, that will tell Splunk how to index the data - specifically, timestamping and event breaking.
After that you can define searchtime field extractions as you need them.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...