After setting a rather simple props entry for sourcetype [sharepoint] for our log to break events only after datestamp\s and not datestamp* to keep multiple line messages together. I then input a file via oneshot specifying -sourcetype=sharepoint.
Now when looking at the data, I've got data with sourcetype=sharepoint-2.
What's causing this and how can I prevent it?
What might the name of your file be? There are some file patterns that Splunk tries to generate a CSV header for. You can see this in the default props.conf if you look for CHECK_FOR_HEADER. You probably want to disable/override this.
What might the name of your file be? There are some file patterns that Splunk tries to generate a CSV header for. You can see this in the default props.conf if you look for CHECK_FOR_HEADER. You probably want to disable/override this.