Hi,
I am working on troubleshooting one issue where data from a particular sourcetype is not getting parsed correctly. Came across this page under Settings -> Sourcetypes and want to understand what exactly is it tell us? When I see the sourcetypes listed on this page, there are several missing even though we can see data in Splunk for those sourcetypes. If I do `index=* | stats count by sourcetype` all of them are listed but many from that list wont show up on that page. Check on both searchhead & indexer but same results.
e.g. We are getting Windows Event log data from the 4 common sources, i.e. Application, Security, System and Setup. But When I check under Settings -> sourcetypes, only Application and Security are listed and the app assigned to them is splunk_app_windows_infrastructure. What happened to the other two sourcetypes (System/Setup) for which we are getting data?
![alt text][1]
But we are getting data for all the sources.
![alt text][2]
Thanks,
~ Abhi
[1]: /storage/temp/254716-wineventlog-splunk1.png
[2]: /storage/temp/254717-wineventlog-splunk2.png
↧