I have a small LAN with a couple dozen servers all running Solaris. They are sending into a single instance of Splunk Enterprise via syslog.
I have created field extractions, dashboards, reports, etc. and everyone was happy -- then the sourcetypes started changing themselves, thereby breaking the field extractions etc.. To illustrate this, I pulled up logons for the same user, to the same system over a 30 day period and noted three different sourcetypes in that time: "udp:514", "authlog-too_small", and "syslog". The source was always udp:514, and other than the sourcetype changing, I can tell no other difference in the events.
I've been having this issue for a long time and have tried adding sourcetype=syslog anywhere I can (inputs.conf, props.conf).
Other sourcetypes also change on other things, not use the username on this logon event.
This did this on 6.3, and now is still doing it on 6.5.
I don't care so much that I can't force the sourcetype to syslog, as long as it stops changing randomly!
ANY ideas would be appreciated, even untested ones...!
thanks,
Mike
↧