cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
HeavyHats
Explorer
Member since: ‎04-25-2022
‎02-20-2024
Community Statistics
Posts 7
Solutions 0
Karma Given 6
Karma Received 0
Member Since ‎04-25-2022
Activity Feed
View All

Re: Why do variations in sourcetype appear?

by in Getting Data In
‎02-19-2024 10:34 PM
‎02-19-2024 10:34 PM
14 years later, I'm coming here to say THANK YOU! One of my backburner projects has been trying to figure out why we've been getting "cron-2" and "error.log-too_small" type sourcetypes for over a year now. Simply defining the sourcetype for each file, as you suggested, has fixed the issue.  You, @hulahoop, are a lifesaver. ... View more

Re: tstats Is returning sourcetypes that do not ex...

by in Splunk Enterprise
‎07-08-2022 10:25 AM
‎07-08-2022 10:25 AM
Thank you for the insight. I discovered that version 8.5.0 of the Splunk Add-on for Microsoft Windows (Splunk_TA_windows) contains rename statements in Splunk_TA_windows/default/props.conf:  ## To provide backward compatibility for WinEventLog and XmlWinEventLog data ## These will be deprecated in future [WinEventLog:Security] rename = wineventlog [WinEventLog:Application] rename = wineventlog [WinEventLog:System] rename = wineventlog ... This appears to be the source of this behavior. Marking your solution as accepted.  ... View more

Re: tstats Is returning sourcetypes that do not ex...

by in Splunk Enterprise
‎07-08-2022 08:24 AM
‎07-08-2022 08:24 AM
If I'm limiting my search to the past 24 hours though, shouldn't tstats respect the time limit and not evaluate older data?  ... View more

Re: tstats Is returning sourcetypes that do not ex...

by in Splunk Enterprise
‎07-08-2022 08:20 AM
‎07-08-2022 08:20 AM
Where is a rename most likely to happen? (Universal Forwarder, Heavy Forwarder, Indexer, etc.). Our Universal Forwarders are not using a rename function in any props.conf files, and I've checked the heavy forwarder that these logs are passing through and it does not contain a rename function in any of its props.conf files either. I'm guessing this happens on the indexers?  ... View more

Re: tstats Is returning sourcetypes that do not ex...

by in Splunk Enterprise
‎07-07-2022 08:54 AM
‎07-07-2022 08:54 AM
Yes, that is part of the confusion here. "tstats" shows that "(Xml)WinEventLog:System" exists as a sourcetype, when it actually only exists as a source.  ... View more

Re: tstats Is returning sourcetypes that do not ex...

by in Splunk Enterprise
‎07-06-2022 04:32 PM
‎07-06-2022 04:32 PM
I can confirm that the first two queries do not produce identical lists. There is about 90% overlap, but each list contains entries which are absent from the other list.  I can also confirm that there is no leading/trailing whitespace. The last query produces no results.  ... View more

Why is tstats returning sourcetypes that do not ex...

by in Splunk Enterprise
‎07-06-2022 09:09 AM
‎07-06-2022 09:09 AM
I recently discovered that "tstats" is returning sourcetypes which do not exist.  Query:  | tstats values(sourcetype) where index=* by index  This returns a list of sourcetypes grouped by index. While it appears to be mostly accurate, some sourcetypes which are returned for a given index do not exist. For example, the sourcetype "WinEventLog:System" is returned for myindex, but the following query produces zero results:  index=myindex sourcetype="WinEventLog:System" This is the case for multiple indexes. If my understanding of "tstats" is correct, it works by only analyzing indexed fields which are stored in the tsidx files. If no events exist with a given sourcetype for a specific index, how could that value have possibly been saved in the tsidx files?  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-20-2024 03:50 AM
Karma given to